CVE-2025-53095
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lizardbyte | sunshine | to 2025.628.4510 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53095 is a critical vulnerability in the Sunshine application prior to version 2025.628.4510. The web UI lacked protection against Cross-Site Request Forgery (CSRF) attacks. This means an attacker can craft a malicious web page that, when visited by an authenticated Sunshine user, triggers unintended actions within the application. Specifically, because Sunshine allows OS command execution via its "Command Preparations" feature, an attacker can inject arbitrary OS commands that execute with Administrator privileges. This can happen remotely without Sunshine being publicly exposed, and requires only that the user visits the malicious page while authenticated. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary OS commands with Administrator privileges on the host running Sunshine. An attacker can remotely trigger these commands by tricking an authenticated user into visiting a malicious web page. This can lead to full system compromise, unauthorized pairing of new devices, and potentially complete loss of confidentiality, integrity, and availability of the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Sunshine application version is prior to 2025.628.4510, as those versions lack CSRF protection. Additionally, monitoring HTTP POST requests to Sunshine's API endpoints for missing or incorrect Content-Type headers (not set to application/json) can indicate vulnerability. Since the attack involves CSRF exploiting Basic Authentication headers, inspecting web traffic for unauthorized or suspicious POST requests with Basic Auth headers from unexpected origins may help detect exploitation attempts. Specific commands are not provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Sunshine application to version 2025.628.4510 or later, where the vulnerability is patched by enforcing strict Content-Type validation on POST requests and fixing CSRF protections. Until the upgrade, avoid visiting untrusted web pages while authenticated to Sunshine, and consider restricting access to the Sunshine web UI to trusted networks or users to reduce exposure. [1, 2]