Overview
CVE-2025-64753 is a medium severity information disclosure vulnerability affecting Grist-Core, a spreadsheet hosting server. This vulnerability allows a user with partial read access to a document to potentially gain unauthorized access to sensitive information by accessing endpoints listing document version hashes and comparing versions. Specifically, the `/compare` endpoint was susceptible to revealing changes containing cells, columns, or tables that the user was not explicitly authorized to view. This issue has been addressed in Grist-Core version 1.7.7.
Technical Details
The vulnerability stems from insufficient access control on the /compare endpoint. Even with restricted read access to a Grist-Core document, a user could query this endpoint to retrieve a full list of changes between different versions of the document. This list could inadvertently expose data they were not permitted to see, violating the principle of least privilege. Version 1.7.7 mitigates this risk by restricting access to the /compare endpoint to users with full read access privileges to the document. Older versions did not properly enforce this level of restriction.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-64753 a score of 5.3 (Medium). This reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
- Attack Complexity (AC): Low (L) – Exploitation is relatively straightforward.
- Privileges Required (PR): Low (L) – Only low-level privileges are needed to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required.
- Scope (S): Unchanged (U) – The vulnerability does not impact resources beyond the affected component.
- Confidentiality Impact (C): High (H) – There is a high potential for confidentiality breach.
- Integrity Impact (I): None (N) – No integrity impact.
- Availability Impact (A): None (N) – No availability impact.
This CVSS score suggests that while the vulnerability is remotely exploitable and poses a significant risk to data confidentiality, it requires some level of privilege and does not directly affect system integrity or availability.
Possible Impact
Successful exploitation of CVE-2025-64753 could lead to the following:
- Unauthorized Data Access: Sensitive information stored in Grist-Core spreadsheets, such as financial data, personal information, or confidential business strategies, could be exposed to unauthorized users.
- Compliance Violations: Exposure of sensitive data could lead to violations of data privacy regulations like GDPR or HIPAA.
- Reputational Damage: A data breach resulting from this vulnerability could damage an organization’s reputation and erode customer trust.
Mitigation or Patch Steps
To address CVE-2025-64753, the following actions are recommended:
- Upgrade to Version 1.7.7 or later: The primary solution is to upgrade Grist-Core to version 1.7.7 or a later version where the vulnerability has been patched.
- Workaround 1: Remove Sensitive Document History: As a workaround for older versions, use the
/states/removeendpoint to remove sensitive document history that might be exposed. Use this with caution, as it removes historical data. - Workaround 2: Block the `/compare` Endpoint: Another possible workaround is to block access to the
/compareendpoint until an upgrade can be performed. This will prevent exploitation of the vulnerability but may also limit legitimate functionality.
References
Grist-Core v1.7.7 Release Notes
Grist-Core Security Advisory: GHSA-3v78-cw58-v685
