The vulnerability CVE-2025-64753 affects grist-core, a spreadsheet hosting server, in versions before 1.7.7. The root cause is an incorrect authorization check (CWE-863) on the /compare API endpoint, which is intended to provide version comparison data for documents. Users with only partial read access could still query this endpoint and retrieve hashes and detailed change lists between document versions, including cells, columns, or tables that they were not authorized to view. This leads to unauthorized disclosure of sensitive data, violating confidentiality. The vulnerability does not affect integrity or availability. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact. The fix implemented in version 1.7.7 restricts access to the /compare endpoint to users with full read access only. As an interim mitigation, administrators can remove sensitive document history using the /states/remove endpoint or block access to the /compare endpoint altogether. There are no known exploits in the wild, but the vulnerability could be leveraged by malicious insiders or attackers who have obtained low-level access to the system.

For European organizations using grist-core for spreadsheet hosting and collaboration, this vulnerability poses a risk of unauthorized data disclosure. Sensitive business information, financial data, or personal data stored in spreadsheets could be exposed to users with limited permissions, violating data protection regulations such as GDPR. The leak of historical changes could reveal confidential operational details or intellectual property. Although the vulnerability does not allow data modification or system disruption, the confidentiality breach alone can lead to reputational damage, regulatory penalties, and loss of competitive advantage. Organizations in sectors with strict data privacy requirements, such as finance, healthcare, and government, are particularly at risk. The medium severity score indicates a moderate but actionable threat, especially in environments where partial read access is granted to many users or external collaborators.

European organizations should promptly upgrade grist-core to version 1.7.7 or later to ensure the authorization fix is applied. Until the upgrade can be performed, administrators should consider removing sensitive document history using the /states/remove endpoint to limit exposure of past changes. Additionally, blocking or restricting access to the /compare endpoint at the network or application level can prevent unauthorized queries. Access controls should be reviewed to minimize partial read permissions and ensure users only have the minimum necessary access. Monitoring and logging access to document comparison endpoints can help detect suspicious activity. Organizations should also audit their spreadsheets for sensitive data that might have been exposed historically and assess compliance with data protection regulations. Finally, educating users about the risks of sharing partial access to sensitive documents is advisable.