Skip to main content

CVE-2025-53095: CWE-352: Cross-Site Request Forgery (CSRF) in LizardByte Sunshine

Critical
VulnerabilityCVE-2025-53095cvecve-2025-53095cwe-352
Published: Tue Jul 01 2025 (07/01/2025, 01:33:22 UTC)
Source: CVE Database V5
Vendor/Project: LizardByte
Product: Sunshine

Description

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.

AI-Powered Analysis

AILast updated: 07/01/2025, 02:24:33 UTC

Technical Analysis

CVE-2025-53095 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting the web UI of LizardByte's Sunshine, a self-hosted game streaming server used in conjunction with Moonlight clients. Prior to version 2025.628.4510, Sunshine's web interface lacks CSRF protections, allowing attackers to craft malicious web pages that, when visited by authenticated users, can trigger unauthorized actions within the application. The vulnerability is particularly severe because Sunshine inherently supports OS command execution via its 'Command Preparations' feature. Exploiting this CSRF flaw enables an attacker to inject arbitrary OS commands that execute with Administrator privileges whenever a game or application is launched through Sunshine. This can lead to full system compromise, including data theft, system manipulation, or persistent backdoors. The vulnerability has a CVSS v3.1 score of 9.7, reflecting its criticality, with network attack vector, no privileges required, but user interaction needed (visiting a malicious page). The scope is changed, as the attack can affect the entire system beyond the web UI. No known exploits are currently reported in the wild, but the potential impact is severe. The issue was patched in version 2025.628.4510 by adding proper CSRF protections to the web UI.

Potential Impact

For European organizations using Sunshine for game streaming or remote access, this vulnerability poses a significant risk. An attacker could leverage social engineering to trick authenticated users into visiting malicious websites, resulting in arbitrary command execution with administrative rights on the host system. This could lead to data breaches, unauthorized access to sensitive information, disruption of services, or deployment of malware/ransomware. Organizations with less mature security awareness or lacking network segmentation may be particularly vulnerable. Since Sunshine is self-hosted, compromised hosts could serve as pivot points for lateral movement within corporate networks. The impact extends beyond confidentiality to integrity and availability, as attackers can manipulate system processes or disrupt streaming services. Given the criticality and ease of exploitation, European entities relying on Sunshine should prioritize remediation to prevent potential operational and reputational damage.

Mitigation Recommendations

1. Immediate upgrade to Sunshine version 2025.628.4510 or later to apply the official patch that addresses the CSRF vulnerability. 2. Implement network-level protections such as web application firewalls (WAFs) to detect and block suspicious CSRF attack patterns targeting the Sunshine web UI. 3. Enforce strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce the risk of CSRF exploitation. 4. Educate users about the risks of visiting untrusted websites while authenticated to Sunshine, emphasizing phishing and social engineering awareness. 5. Restrict access to the Sunshine web UI to trusted networks or VPNs to minimize exposure to external attackers. 6. Monitor logs for unusual command execution or access patterns indicative of exploitation attempts. 7. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous OS command executions. 8. Regularly audit and review administrative privileges and command preparation configurations within Sunshine to limit potential abuse.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-25T13:41:23.086Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686343566f40f0eb728ddd81

Added to database: 7/1/2025, 2:09:26 AM

Last enriched: 7/1/2025, 2:24:33 AM

Last updated: 7/1/2025, 1:39:26 PM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats