CVE-2025-53096
BaseFortify
Publication date: 2025-07-01
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lizardbyte | sunshine | to 2025.628.4510 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53096 is a Clickjacking vulnerability in the Sunshine web UI prior to version 2025.628.4510. The Sunshine interface lacked protections against being embedded in invisible or disguised iframes on malicious websites. An attacker can exploit this by tricking an authenticated user into interacting with the malicious page, causing the user to unknowingly perform actions within Sunshine without consent. For example, attackers could cause users to click hidden buttons like "Unpair All," which removes all clients and disrupts service, or perform other unauthorized actions such as restarting the instance or changing configurations. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions being performed on your Sunshine instance without your knowledge or consent if you interact with a malicious website while authenticated. Potential impacts include service disruption by removing all paired clients, loss of remote access, forced reconfiguration of clients, restarting the Sunshine instance, or unauthorized configuration changes. These impacts affect the integrity and availability of the service, though confidentiality is not impacted. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Sunshine web UI responses lack the HTTP headers that prevent framing, specifically the absence of 'X-Frame-Options: DENY' and 'Content-Security-Policy: frame-ancestors 'none''. You can use tools like curl to inspect the HTTP response headers from the Sunshine server. For example, run: curl -I http://<sunshine-server>/index.html and check if the headers 'X-Frame-Options' and 'Content-Security-Policy' are present and correctly set. If these headers are missing or not set to deny framing, the system is vulnerable to clickjacking. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the Sunshine application to version 2025.628.4510 or later, where the issue is patched. This update adds strict HTTP headers such as 'X-Frame-Options: DENY' and 'Content-Security-Policy: frame-ancestors 'none'' to prevent the UI from being embedded in iframes, effectively blocking clickjacking attacks. Additionally, ensure that Basic Authentication is used cautiously, as it is inherently vulnerable to clickjacking in Chromium-based browsers without these protections. [1, 2]