CVE-2025-53095 Information

Jul 02, 2025 cve

Description

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510 the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that when visited by an authenticated user can trigger unintended actions within the Sunshine application on behalf of that user. Specifically since the application does OS command execution by design this issue can be exploited to abuse the \Command Preparations\ feature enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

Reference

https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0 https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m

CNNVD-202507-009 (Published: 2025-07-01)

Share on: