Platform
other
Component
sunshine
Opgelost in
2025.628.4511
CVE-2025-53095 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Sunshine, a self-hosted game stream host for Moonlight. This flaw allows attackers to trick authenticated users into performing unintended actions within the Sunshine application. The vulnerability stems from a lack of CSRF protection in the web UI, enabling command injection through the "Command Preparations" feature, potentially leading to arbitrary OS command execution.
The primary impact of CVE-2025-53095 is the potential for remote code execution (RCE) on the server hosting Sunshine. An attacker can craft a malicious web page that, when visited by an authenticated user, will execute arbitrary commands on the server. This could lead to complete system compromise, data exfiltration, or denial of service. Given Sunshine's role in game streaming, a successful exploit could also disrupt game services and potentially expose user account information. The "Command Preparations" feature, designed for legitimate purposes, becomes a direct attack vector due to the missing CSRF protection.
CVE-2025-53095 was published on 2025-07-01. The vulnerability's CRITICAL CVSS score indicates a high likelihood of exploitation. Public proof-of-concept (POC) code is currently unknown, but the ease of exploitation (requiring only a crafted web page) suggests that it may become publicly available. The vulnerability's impact, combined with the relatively simple attack vector, makes it a high-priority concern. No active campaigns have been publicly reported at the time of writing.
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-53095 is to immediately upgrade Sunshine to version 2025.628.4510 or later. If upgrading is not immediately feasible, consider implementing a temporary workaround by restricting access to the Sunshine web UI to trusted networks or users. While not a complete solution, this can reduce the attack surface. Additionally, implement strict input validation and sanitization on all user-supplied data within the "Command Preparations" feature to minimize the impact of any potential exploitation. After upgrading, confirm the fix by attempting to trigger a command execution via a crafted CSRF request; the request should be rejected.
Actualice Sunshine a la versión 2025.628.4510 o posterior. Esta actualización corrige la vulnerabilidad CSRF que permite la inyección de comandos. Descargue la última versión desde el sitio web oficial de LizardByte o a través del mecanismo de actualización integrado en la aplicación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-53095 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Sunshine, allowing attackers to execute arbitrary commands via the "Command Preparations" feature if you're using a version before 2025.628.4510.
You are affected if you are running Sunshine version 2025.628.4510 or earlier. Check your version using ./sunshine --version and upgrade immediately.
Upgrade Sunshine to version 2025.628.4510 or later. As a temporary workaround, restrict access to the web UI to trusted networks.
While no active campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest it may become a target. Monitor your logs and apply the fix promptly.
Refer to the official Sunshine project website and GitHub repository for the latest security advisories and updates: [https://github.com/Sunshine-Project/Sunshine](https://github.com/Sunshine-Project/Sunshine)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.