Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.
AnalysisAI
Sandbox escape in Lumiverse AI chat application versions prior to 0.9.7 allows remote attackers to execute arbitrary JavaScript in a victim's authenticated session by delivering a malicious theme pack (.lumitheme / .lumiverse-theme). The component override system's Sucrase-transpiled TSX sandbox is bypassed via string concatenation of blocked identifiers and DOM ref traversal to retrieve the real window object, defeating both static source validation and runtime global shadowing. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-rgp6-55rw-5xf4) documents the exact bypass technique.
Technical ContextAI
Lumiverse (cpe:2.3:a:prolix-oc:lumiverse) implements a client-side plugin model where user-supplied TSX is transpiled with Sucrase and evaluated through new Function with a curated scope that shadows fetch, window, eval and similar globals with undefined. A regex-based static validator (validateComponentOverrideSource) attempts to reject these identifiers at parse time using word-boundary matching. The root cause maps to CWE-693 (Protection Mechanism Failure): both layers are defeated because (1) string concatenation such as 'ownerDoc'+'ument' reconstructs forbidden identifiers at runtime, evading the regex, and (2) React's useRef/useEffect are exposed in scope, so a ref attached to a rendered element exposes a live DOM node whose ownerDocument.defaultView property returns the genuine window - restoring full access to network, storage, and DOM APIs that the shadow scope was meant to block.
RemediationAI
Upgrade to Lumiverse 0.9.7, which is the vendor-released patch identified in advisory GHSA-rgp6-55rw-5xf4 at https://github.com/prolix-oc/Lumiverse/security/advisories/GHSA-rgp6-55rw-5xf4. Until the upgrade is applied, do not import .lumitheme or .lumiverse-theme files from untrusted sources and disable any existing component overrides in the Theme Editor, since a single enabled override is sufficient to trigger the payload; the trade-off is losing customization provided by trusted packs. As a stronger compensating control, restrict theme imports to packs whose source TSX has been manually reviewed for ref-based DOM traversal patterns (e.g., ownerDocument, defaultView, or any bracket-indexed string concatenation against React refs), accepting that manual review does not scale and is brittle against obfuscation.
Remote code execution in Lumiverse AI chat application prior to 0.9.7 allows any authenticated user to run arbitrary OS-
Host-level code execution in Lumiverse AI chat application (versions prior to 0.9.7) allows admin-authenticated attacker
Argument injection in Lumiverse AI chat application before version 0.9.7 enables authenticated high-privilege attackers
Lumiverse's sign-up nonce mechanism prior to version 0.9.7 allows unauthenticated remote attackers to register unauthori
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31979