Platform
nodejs
Component
growi
Fixed in
7.3.4
CVE-2025-64700 describes a cross-site request forgery (XSRF) vulnerability affecting GROWI versions up to 7.3.3. An attacker can leverage this flaw to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized data modification or system compromise. The vulnerability is fixed in GROWI version 7.3.4, and users are strongly advised to upgrade.
The primary impact of this XSRF vulnerability lies in the potential for unauthorized actions performed on behalf of an authenticated user. An attacker could craft a malicious page that, when viewed by a logged-in GROWI user, triggers unintended operations within the GROWI instance. This could include creating, deleting, or modifying knowledge base articles, changing user permissions, or executing other administrative tasks. The blast radius is limited to the scope of actions a user can perform within GROWI, but the consequences can be significant if an attacker gains control of an administrator account.
This vulnerability was publicly disclosed on 2025-12-17. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 4.3 indicates a medium probability of exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64700 is to upgrade GROWI to version 7.3.4 or later, which contains the fix. If immediate upgrading is not possible, consider implementing additional security layers such as requiring multi-factor authentication (MFA) for all GROWI users, particularly administrators. Implementing strict content security policy (CSP) headers can also help mitigate XSRF attacks by restricting the sources from which scripts can be executed. Monitor GROWI logs for suspicious activity, especially unusual requests originating from unfamiliar sources.
Update GROWI to a version later than 7.3.3. This will resolve the Cross-Site Request Forgery (CSRF) vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64700 is a cross-site request forgery (XSRF) vulnerability affecting GROWI versions 7.3.3 and earlier, allowing attackers to trick authenticated users into performing unintended actions.
You are affected if you are using GROWI version 7.3.3 or earlier. Upgrade to 7.3.4 to mitigate the risk.
Upgrade GROWI to version 7.3.4 or later. Consider implementing MFA and strict CSP headers as additional security measures.
As of the current date, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official GROWI release notes and security advisories on the GROWI website for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.