Plataforma
nodejs
Componente
growi
Corrigido em
7.3.4
CVE-2025-64700 describes a cross-site request forgery (XSRF) vulnerability affecting GROWI versions up to 7.3.3. An attacker can leverage this flaw to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized data modification or system compromise. The vulnerability is fixed in GROWI version 7.3.4, and users are strongly advised to upgrade.
The primary impact of this XSRF vulnerability lies in the potential for unauthorized actions performed on behalf of an authenticated user. An attacker could craft a malicious page that, when viewed by a logged-in GROWI user, triggers unintended operations within the GROWI instance. This could include creating, deleting, or modifying knowledge base articles, changing user permissions, or executing other administrative tasks. The blast radius is limited to the scope of actions a user can perform within GROWI, but the consequences can be significant if an attacker gains control of an administrator account.
This vulnerability was publicly disclosed on 2025-12-17. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 4.3 indicates a medium probability of exploitation. It is not listed on the CISA KEV catalog at the time of writing.
Organizations using GROWI for knowledge management, particularly those with multiple users or administrator accounts, are at risk. Environments with weak password policies or a lack of MFA are especially vulnerable. Shared hosting environments where multiple GROWI instances reside on the same server should also be considered at higher risk.
• nodejs / server:
npm audit growi• generic web:
curl -I https://your-growi-instance/ | grep -i 'content-security-policy'• generic web:
grep -r "/growi/api/" /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.02% (percentil 6%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-64700 is to upgrade GROWI to version 7.3.4 or later, which contains the fix. If immediate upgrading is not possible, consider implementing additional security layers such as requiring multi-factor authentication (MFA) for all GROWI users, particularly administrators. Implementing strict content security policy (CSP) headers can also help mitigate XSRF attacks by restricting the sources from which scripts can be executed. Monitor GROWI logs for suspicious activity, especially unusual requests originating from unfamiliar sources.
Atualize GROWI para uma versão posterior a 7.3.3. Isso corrigirá a vulnerabilidade de Cross-Site Request Forgery (CSRF). Consulte as notas da versão para obter mais detalhes sobre a atualização.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-64700 is a cross-site request forgery (XSRF) vulnerability affecting GROWI versions 7.3.3 and earlier, allowing attackers to trick authenticated users into performing unintended actions.
You are affected if you are using GROWI version 7.3.3 or earlier. Upgrade to 7.3.4 to mitigate the risk.
Upgrade GROWI to version 7.3.4 or later. Consider implementing MFA and strict CSP headers as additional security measures.
As of the current date, there are no known public exploits or active campaigns targeting this vulnerability, but it remains a potential risk.
Refer to the official GROWI release notes and security advisories on the GROWI website for the most up-to-date information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.