CVE-2025-64752
📋 TL;DR
This vulnerability in grist-core allows authenticated users to perform server-side request forgery (SSRF) attacks. Any user with document access can exploit a URL fetching feature to make requests from the server's privileged network position, potentially accessing internal systems or escalating attacks. This affects all Grist installations running versions before 1.7.7.
💻 Affected Systems
- grist-core
📦 What is this software?
Grist Core by Getgrist
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal systems, steal credentials from metadata services, perform lateral movement, or use the server as a proxy for attacks against other systems.
Likely Case
Unauthorized access to internal HTTP/HTTPS endpoints, credential theft from services like AWS metadata, or scanning of internal networks.
If Mitigated
Limited to accessing only external resources or properly firewalled internal systems with no credential exposure.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. SSRF techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.7
Vendor Advisory: https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3
Restart Required: Yes
Instructions:
1. Backup your Grist data. 2. Stop the Grist service. 3. Update to version 1.7.7 using your package manager or by downloading from GitHub releases. 4. Restart the Grist service. 5. Verify the version is 1.7.7 or higher.
🔧 Temporary Workarounds
Restrict network access
allBlock Grist server from accessing internal HTTP/HTTPS endpoints that expose credentials or operate without authentication
Use firewall rules to restrict outbound connections from Grist server to only necessary external resources
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Grist server from sensitive internal systems
- Disable or restrict the URL fetching feature through configuration if possible
🔍 How to Verify
Check if Vulnerable:
Check if Grist version is below 1.7.7. The vulnerability exists if any version <1.7.7 is running.Check Version:
Check Grist web interface admin panel or run: docker exec grist-container cat /app/package.json | grep versionVerify Fix Applied:
Confirm Grist version is 1.7.7 or higher and test that URL fetching now uses proxy for untrusted sources.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP/HTTPS requests from Grist server to internal IP ranges
- Multiple failed authentication attempts to internal services from Grist server IP
Network Indicators:
- HTTP requests from Grist server to internal metadata services (169.254.169.254, etc.)
- Unusual traffic patterns from Grist server to non-standard ports
SIEM Query:
source="grist-logs" AND (url_fetch OR http_request) AND dest_ip IN (RFC1918_IP_RANGES)