CVE-2025-64752 is a Server-Side Request Forgery (SSRF) vulnerability identified in gristlabs' grist-core, a spreadsheet hosting server. The vulnerability exists in versions prior to 1.7.7 and arises from a feature that allows users with access to any document on a Grist installation to fetch data from arbitrary URLs. These fetch requests are executed on the server side, which typically has privileged network access, including access to internal networks and services not exposed externally. An attacker exploiting this SSRF can coerce the server into making unauthorized requests to internal or external systems, potentially leading to information disclosure or further attack escalation within the network. The vulnerability does not require any privileges or user interaction, increasing its risk profile. The flaw was addressed in version 1.7.7 by implementing a proxy mechanism for untrusted fetches, effectively isolating and controlling outbound requests. As a workaround, administrators are advised to avoid exposing HTTP/HTTPS endpoints that handle sensitive credentials or operate without authentication to the Grist instance. The CVSS v3.1 score of 6.8 reflects a medium severity, with a network attack vector, high confidentiality impact, no integrity or availability impact, and no privileges or user interaction required. No known exploits have been reported in the wild as of the publication date.

For European organizations using grist-core versions prior to 1.7.7, this SSRF vulnerability poses a significant risk of unauthorized internal network access and data exposure. Attackers could leverage the server's privileged network position to access internal services, potentially bypassing perimeter defenses. This could lead to disclosure of sensitive information such as internal APIs, databases, or cloud metadata services, which may contain credentials or configuration data. Although the vulnerability does not directly impact data integrity or availability, the confidentiality breach could facilitate further attacks, including lateral movement or privilege escalation within the affected environment. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, may face regulatory and reputational consequences if sensitive data is exposed. The medium severity score suggests a moderate but non-negligible risk, especially in environments where grist-core is integrated with critical internal systems or where network segmentation is weak.

To mitigate this vulnerability, European organizations should immediately upgrade grist-core installations to version 1.7.7 or later, where the SSRF issue is fixed by routing untrusted fetches through a proxy. Until upgrades can be performed, administrators should restrict the Grist server's network access by implementing strict egress filtering and firewall rules to limit outbound HTTP/HTTPS requests only to trusted destinations. Additionally, avoid exposing HTTP/HTTPS endpoints that handle sensitive credentials or operate without authentication to the Grist instance. Network segmentation should be enforced to isolate the Grist server from critical internal services. Monitoring and logging of outbound requests from the Grist server should be enhanced to detect anomalous or unauthorized fetch attempts. Finally, review and audit user permissions to ensure that only trusted users have document access, reducing the attack surface for SSRF exploitation.