Une vulnérabilité de falsification de requête intersite (Cross-site request forgery) existe dans GROWI v7.3.3 et versions antérieures. Si un utilisateur consulte une page malveillante tout en étant connecté, il peut être amené à effectuer des opérations non intentionnelles.
Plateforme
nodejs
Composant
growi
Corrigé dans
7.3.4
CVE-2025-64700 describes a cross-site request forgery (XSRF) vulnerability affecting GROWI versions up to 7.3.3. An attacker can leverage this flaw to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized data modification or system compromise. The vulnerability is fixed in GROWI version 7.3.4, and users are strongly advised to upgrade.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of this XSRF vulnerability lies in the potential for unauthorized actions performed on behalf of an authenticated user. An attacker could craft a malicious page that, when viewed by a logged-in GROWI user, triggers unintended operations within the GROWI instance. This could include creating, deleting, or modifying knowledge base articles, changing user permissions, or executing other administrative tasks. The blast radius is limited to the scope of actions a user can perform within GROWI, but the consequences can be significant if an attacker gains control of an administrator account.
Contexte d'Exploitationtraduction en cours…
This vulnerability was publicly disclosed on 2025-12-17. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 4.3 indicates a medium probability of exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Qui Est à Risquetraduction en cours…
Organizations using GROWI for knowledge management, particularly those with multiple users or administrator accounts, are at risk. Environments with weak password policies or a lack of MFA are especially vulnerable. Shared hosting environments where multiple GROWI instances reside on the same server should also be considered at higher risk.
Étapes de Détectiontraduction en cours…
• nodejs / server:
npm audit growi• generic web:
curl -I https://your-growi-instance/ | grep -i 'content-security-policy'• generic web:
grep -r "/growi/api/" /var/log/apache2/access.logChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Aucun — aucun impact sur la confidentialité.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-64700 is to upgrade GROWI to version 7.3.4 or later, which contains the fix. If immediate upgrading is not possible, consider implementing additional security layers such as requiring multi-factor authentication (MFA) for all GROWI users, particularly administrators. Implementing strict content security policy (CSP) headers can also help mitigate XSRF attacks by restricting the sources from which scripts can be executed. Monitor GROWI logs for suspicious activity, especially unusual requests originating from unfamiliar sources.
Comment corriger
Mettez à jour GROWI vers une version ultérieure à la 7.3.3. Cela corrigera la vulnérabilité de Cross-Site Request Forgery (CSRF). Consultez les notes de version pour plus de détails sur la mise à jour.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-64700 — XSRF in GROWI Knowledge Base?
CVE-2025-64700 is a cross-site request forgery (XSRF) vulnerability affecting GROWI versions 7.3.3 and earlier, allowing attackers to trick authenticated users into performing unintended actions.
Am I affected by CVE-2025-64700 in GROWI Knowledge Base?
You are affected if you are using GROWI version 7.3.3 or earlier. Upgrade to 7.3.4 to mitigate the risk.
How do I fix CVE-2025-64700 in GROWI Knowledge Base?
Upgrade GROWI to version 7.3.4 or later. Consider implementing MFA and strict CSP headers as additional security measures.
Is CVE-2025-64700 being actively exploited?
As of the current date, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Where can I find the official GROWI advisory for CVE-2025-64700?
Refer to the official GROWI release notes and security advisories on the GROWI website for the most up-to-date information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.