The core of this vulnerability lies in the application's handling of password recovery tokens. In a secure implementation, such tokens should be invalidated immediately after use to prevent any possibility of reuse. However, in lunary-ai/lunary version 1.2.4, once a user utilizes a recovery token to reset their password, the token remains valid. This oversight allows an attacker who has access to the token, possibly by compromising the victim's email account, to repeatedly change the user's password without authorization.

An attacker begins by obtaining a password recovery token, likely through accessing the victim's email. They then use this token to reset the victim's password, gaining unauthorized access to the account. Due to the token not being invalidated after this initial use, the attacker can continue to change the password multiple times, potentially locking out the legitimate user and maintaining control over the account.

Users of lunary-ai/lunary version 1.2.4 who utilize the password recovery feature are at risk. Specifically, if an attacker can access or intercept the password recovery token, they can exploit this vulnerability to gain unauthorized access and potentially maintain persistent control over the user's account.