CVE-2025-64753
📋 TL;DR
This vulnerability in grist-core allows users with partial read access to documents to view sensitive document history and changes they shouldn't have access to. It affects all grist-core deployments prior to version 1.7.7 where document-level permissions are used. The issue exposes potentially confidential spreadsheet data through the version comparison feature.
💻 Affected Systems
- grist-core
📦 What is this software?
Grist Core by Getgrist
⚠️ Risk & Real-World Impact
Worst Case
An attacker with minimal access could reconstruct entire sensitive documents by analyzing version history, potentially exposing confidential business data, financial information, or personal data.
Likely Case
Internal users with limited document access could view changes to restricted cells or columns, leading to unauthorized information disclosure within the organization.
If Mitigated
With proper access controls and monitoring, impact is limited to potential minor information leakage that can be detected and contained.
🎯 Exploit Status
Exploitation requires authenticated access with at least partial read permissions to a document. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.7
Vendor Advisory: https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685
Restart Required: Yes
Instructions:
1. Backup your grist-core data. 2. Stop the grist-core service. 3. Update to version 1.7.7 or later using your package manager or by downloading from GitHub releases. 4. Restart the grist-core service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Block /compare endpoint
allPrevent access to the vulnerable endpoint using web server configuration or firewall rules
# For nginx: location /compare { deny all; }
# For Apache: <Location /compare> Require all denied </Location>
Remove sensitive document history
allUse the /states/remove endpoint to delete version history containing sensitive information
curl -X POST http://your-grist-instance/states/remove -H 'Authorization: Bearer YOUR_API_KEY' -d '{"docId": "DOCUMENT_ID"}'
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to grist-core instances
- Enhance monitoring and alerting for unauthorized access to document history endpoints
🔍 How to Verify
Check if Vulnerable:
Check if grist-core version is below 1.7.7 and test if users with partial read access can access /compare endpoint for restricted documentsCheck Version:
grist --version or check package manager outputVerify Fix Applied:
After updating to 1.7.7+, verify that users with only partial read access receive proper access denied responses when trying to access the /compare endpoint📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /compare endpoint
- Multiple failed authentication attempts followed by successful /compare access
Network Indicators:
- Unusual patterns of requests to /compare endpoint from users with limited permissions
SIEM Query:
source="grist-logs" AND (uri_path="/compare" AND user_permission="partial_read")