CVE-2025-64753

Published: Nov 13, 2025

Modified: Nov 14, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.

Vendor	Product	Versions
gristlabs	grist-core	affected `< 1.7.7`

Weaknesses (CWE)

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685

x_refsource_CONFIRM

https://github.com/gristlabs/grist-core/releases/tag/v1.7.7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-64753

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References