CVE-2025-53095 Overview
CVE-2025-53095 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Sunshine, a self-hosted game stream host for Moonlight. The web UI of Sunshine lacks protection against CSRF attacks, allowing an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Most critically, since the application performs OS command execution by design, this vulnerability can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched.
Critical Impact
Attackers can achieve remote code execution with Administrator privileges by chaining CSRF with the legitimate "Command Preparations" feature, requiring only that an authenticated Sunshine user visits a malicious web page.
Affected Products
- LizardByte Sunshine versions prior to 2025.628.4510
Discovery Timeline
- 2025-07-01 - CVE-2025-53095 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-53095
Vulnerability Analysis
This CSRF vulnerability exists because the Sunshine web UI fails to implement anti-CSRF tokens or validate the origin of incoming requests. When an authenticated administrator accesses a malicious webpage crafted by an attacker, the browser automatically includes authentication cookies with cross-origin requests to the Sunshine web interface running on localhost. The application's design includes legitimate OS command execution capabilities through the "Command Preparations" feature, which is intended to allow users to run scripts or commands before launching streamed applications. By combining CSRF with this feature, attackers can inject malicious commands that execute with the elevated privileges of the Sunshine service.
Root Cause
The root cause of this vulnerability is the absence of CSRF protection mechanisms in the Sunshine web UI. The application does not implement anti-CSRF tokens, does not validate Origin or Referer headers, and does not require proper Content-Type headers for state-changing API requests. This allows cross-origin requests from attacker-controlled websites to be processed as legitimate requests when they carry the user's session credentials.
Attack Vector
The attack requires an authenticated Sunshine user to visit an attacker-controlled webpage while logged into the Sunshine web interface. The malicious page contains hidden forms or JavaScript that automatically submit requests to the Sunshine API endpoints, such as those managing applications or command preparations. Since the browser includes session cookies with these requests and the server performs no origin validation, the malicious requests are processed with the victim's privileges. The attacker can leverage the "Command Preparations" feature to inject commands that execute with Administrator privileges when a streaming application is subsequently launched.
The security patch adds Content-Type: application/json header requirements to API requests, helping to prevent simple CSRF attacks by requiring headers that cannot be set in cross-origin requests without CORS preflight checks:
}
return {
- cURL: `curl -u user:pass -X ${method.trim()} -k https://localhost:47990${endpoint.trim()}${curlBodyString}`,
+ cURL: `curl -u user:pass -H "Content-Type: application/json" -X ${method.trim()} -k https://localhost:47990${endpoint.trim()}${curlBodyString}`,
Python: `import json
import requests
from requests.auth import HTTPBasicAuth
Source: GitHub Commit Update
The patch also updates frontend API calls to include proper headers:
"Are you sure to delete " + this.apps[id].name + "?"
);
if (resp) {
- fetch("./api/apps/" + id, { method: "DELETE" }).then((r) => {
+ fetch("./api/apps/" + id, {
+ method: "DELETE",
+ headers: {
+ "Content-Type": "application/json"
+ },
+ }).then((r) => {
if (r.status === 200) document.location.reload();
});
}
Source: GitHub Commit Update
Detection Methods for CVE-2025-53095
Indicators of Compromise
- Unexpected modifications to application configurations or "Command Preparations" settings in Sunshine
- Unusual commands or scripts appearing in the Sunshine application launch configurations
- Web server logs showing cross-origin requests to the Sunshine API from external referers
- Unexpected processes spawning as child processes of the Sunshine service with Administrator privileges
Detection Strategies
- Monitor Sunshine configuration files for unauthorized modifications to command preparation entries
- Implement network monitoring to detect requests to the Sunshine web interface (default port 47990) originating from suspicious sources
- Review process creation logs for unexpected child processes of the Sunshine service
- Deploy endpoint detection to alert on command execution patterns associated with application launches
Monitoring Recommendations
- Enable verbose logging in Sunshine to capture API request details including headers and origins
- Configure SIEM alerts for configuration changes to Sunshine application settings
- Monitor for unusual network traffic patterns involving localhost web services
- Implement file integrity monitoring on Sunshine configuration directories
How to Mitigate CVE-2025-53095
Immediate Actions Required
- Update Sunshine to version 2025.628.4510 or later immediately
- Review existing "Command Preparations" configurations for any unauthorized or suspicious entries
- Audit recent application configuration changes for signs of compromise
- Consider temporarily disabling the Sunshine web UI if update cannot be immediately applied
Patch Information
LizardByte has released version 2025.628.4510 of Sunshine which addresses this CSRF vulnerability by implementing proper Content-Type header validation for API requests. The fix is available via the official GitHub repository. For detailed patch information, refer to the GitHub Security Advisory GHSA-39hj-fxvw-758m and the security patch commit.
Workarounds
- Restrict access to the Sunshine web interface by binding it to localhost only and accessing via SSH tunnel
- Use a reverse proxy with CSRF protection in front of the Sunshine web interface
- Avoid accessing untrusted websites while authenticated to the Sunshine web UI
- Implement network-level access controls to limit which hosts can reach the Sunshine web interface
# Example: Access Sunshine web UI through SSH tunnel for added security
ssh -L 47990:localhost:47990 user@sunshine-host
# Then access https://localhost:47990 in your browser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
