Vulnerability Details CVE-2025-64752
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.3%
CVSS Severity
CVSS v3 Score 6.8
References
Products affected by CVE-2025-64752
-
cpe:2.3:a:getgrist:grist-core:0.7.1
-
cpe:2.3:a:getgrist:grist-core:0.7.2
-
cpe:2.3:a:getgrist:grist-core:0.7.3
-
cpe:2.3:a:getgrist:grist-core:0.7.4
-
cpe:2.3:a:getgrist:grist-core:0.7.5
-
cpe:2.3:a:getgrist:grist-core:0.7.6
-
cpe:2.3:a:getgrist:grist-core:0.7.7
-
cpe:2.3:a:getgrist:grist-core:0.7.8
-
cpe:2.3:a:getgrist:grist-core:0.7.9
-
cpe:2.3:a:getgrist:grist-core:1.0.3
-
cpe:2.3:a:getgrist:grist-core:1.0.4
-
cpe:2.3:a:getgrist:grist-core:1.0.5
-
cpe:2.3:a:getgrist:grist-core:1.0.6
-
cpe:2.3:a:getgrist:grist-core:1.0.7
-
cpe:2.3:a:getgrist:grist-core:1.0.8
-
cpe:2.3:a:getgrist:grist-core:1.0.9
-
cpe:2.3:a:getgrist:grist-core:1.1.0
-
cpe:2.3:a:getgrist:grist-core:1.1.1
-
cpe:2.3:a:getgrist:grist-core:1.1.10
-
cpe:2.3:a:getgrist:grist-core:1.1.11
-
cpe:2.3:a:getgrist:grist-core:1.1.12
-
cpe:2.3:a:getgrist:grist-core:1.1.13
-
cpe:2.3:a:getgrist:grist-core:1.1.14
-
cpe:2.3:a:getgrist:grist-core:1.1.15
-
cpe:2.3:a:getgrist:grist-core:1.1.16
-
cpe:2.3:a:getgrist:grist-core:1.1.17
-
cpe:2.3:a:getgrist:grist-core:1.1.18
-
cpe:2.3:a:getgrist:grist-core:1.1.2
-
cpe:2.3:a:getgrist:grist-core:1.1.3
-
cpe:2.3:a:getgrist:grist-core:1.1.4
-
cpe:2.3:a:getgrist:grist-core:1.1.5
-
cpe:2.3:a:getgrist:grist-core:1.1.6
-
cpe:2.3:a:getgrist:grist-core:1.1.7
-
cpe:2.3:a:getgrist:grist-core:1.1.8
-
cpe:2.3:a:getgrist:grist-core:1.1.9
-
cpe:2.3:a:getgrist:grist-core:1.2.0
-
cpe:2.3:a:getgrist:grist-core:1.2.1
-
cpe:2.3:a:getgrist:grist-core:1.3.0
-
cpe:2.3:a:getgrist:grist-core:1.3.1
-
cpe:2.3:a:getgrist:grist-core:1.3.2
-
cpe:2.3:a:getgrist:grist-core:1.3.3
-
cpe:2.3:a:getgrist:grist-core:1.4.0
-
cpe:2.3:a:getgrist:grist-core:1.4.1
-
cpe:2.3:a:getgrist:grist-core:1.4.2
-
cpe:2.3:a:getgrist:grist-core:1.5.0
-
cpe:2.3:a:getgrist:grist-core:1.5.1
-
cpe:2.3:a:getgrist:grist-core:1.5.2
-
cpe:2.3:a:getgrist:grist-core:1.6.0
-
cpe:2.3:a:getgrist:grist-core:1.6.1
-
cpe:2.3:a:getgrist:grist-core:1.7.0
-
cpe:2.3:a:getgrist:grist-core:1.7.1
-
cpe:2.3:a:getgrist:grist-core:1.7.2
-
cpe:2.3:a:getgrist:grist-core:1.7.3
-
cpe:2.3:a:getgrist:grist-core:1.7.4
-
cpe:2.3:a:getgrist:grist-core:1.7.5