Description
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-19597
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2025-19597 pertains to a Cross-Site Request Forgery (CSRF) issue in the web UI of Sunshine, a self-hosted game stream host for Moonlight. This vulnerability allows an attacker to exploit the "Command Preparations" feature to inject arbitrary commands, which are executed with Administrator privileges. The severity of this vulnerability is rated with a CVSS Base Score of 9.7, indicating a critical risk.
CVSS Vector Breakdown:
- AV:N (Network Vector): The vulnerability is exploitable over the network.
- AC:L (Low Complexity): The attack requires low skill or resources.
- PR:N (No Privileges Required): No privileges are required to exploit the vulnerability.
- UI:R (User Interaction Required): The attack requires user interaction, such as visiting a malicious web page.
- S:C (Changed Scope): The vulnerability affects a different security scope.
- C:H (High Confidentiality Impact): The vulnerability can lead to a high impact on confidentiality.
- I:H (High Integrity Impact): The vulnerability can lead to a high impact on integrity.
- A:H (High Availability Impact): The vulnerability can lead to a high impact on availability.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Malicious Web Page: An attacker can craft a malicious web page that, when visited by an authenticated user, triggers unintended actions within the Sunshine application.
- Phishing Emails: Attackers can send phishing emails containing links to malicious web pages to lure users into visiting them.
- Compromised Websites: Attackers can compromise legitimate websites to host malicious content that exploits the CSRF vulnerability.
Exploitation Methods:
- Command Injection: By exploiting the "Command Preparations" feature, attackers can inject arbitrary commands that will be executed with Administrator privileges.
- Privilege Escalation: The injected commands can be used to escalate privileges, gain unauthorized access, or perform other malicious actions.
3. Affected Systems and Software Versions
Affected Systems:
- Sunshine versions prior to 2025.628.4510.
Affected Software Versions:
- All versions of Sunshine before 2025.628.4510 are vulnerable to this CSRF issue.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade to the Latest Version: Users should upgrade to Sunshine version 2025.628.4510 or later, which includes the patch for this vulnerability.
- Disable Unnecessary Features: Disable the "Command Preparations" feature if it is not required.
Long-Term Mitigation:
- Implement CSRF Protection: Ensure that all web applications implement robust CSRF protection mechanisms, such as anti-CSRF tokens.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and mitigate potential security issues.
- User Education: Educate users about the risks of visiting unknown or suspicious websites and the importance of verifying the authenticity of emails and links.
5. Impact on European Cybersecurity Landscape
The vulnerability in Sunshine highlights the importance of securing web applications against CSRF attacks, especially in applications that perform OS command execution. The potential for arbitrary command execution with Administrator privileges poses a significant risk to the confidentiality, integrity, and availability of systems. This underscores the need for robust security practices and regular updates to mitigate such vulnerabilities.
6. Technical Details for Security Professionals
Vulnerability Details:
- CSRF Vulnerability: The web UI of Sunshine lacks protection against CSRF attacks, allowing an attacker to craft a malicious web page that triggers unintended actions.
- Command Injection: The "Command Preparations" feature can be abused to inject arbitrary commands, which are executed with Administrator privileges.
Patch Information:
- Patch Version: The vulnerability has been patched in Sunshine version 2025.628.4510.
- GitHub Commit: The patch is available in the GitHub commit 738ac93a0ec1cd10412d1f339968775f53bfefe0.
References:
- GitHub Security Advisory: GHSA-39hj-fxvw-758m
- CVE ID: CVE-2025-53095
Conclusion: The CSRF vulnerability in Sunshine underscores the critical importance of implementing robust security measures in web applications, especially those with elevated privileges. Organizations should prioritize updating to the patched version and implementing additional security controls to mitigate similar risks in the future.