Description

grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.

INFO

Published Date :

2025-11-13T21:43:57.610Z

Last Modified :

2025-11-14T17:10:33.307Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64752 vulnerability.

Vendors Products
Getgrist
  • Grist-core
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64752.

URL Resource
https://github.com/gristlabs/grist-core/releases/tag/v1.7.7 cve-icon cve-icon
https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact