Critical Sunshine a self-hosted game streaming Vulnerabilities
CVE-2025-53095 is a critical vulnerability affecting Sunshine, a self-hosted game streaming server for Moonlight. Prior to version 2025.628.4510, Sunshine's web user interface lacked protection against Cross-Site Request Forgery (CSRF) attacks. This flaw allows an attacker to craft a malicious web page that, when visited by an authenticated Sunshine user, can trigger unintended actions on the user's behalf within the application.
The severity of this vulnerability is heightened because Sunshine performs operating system command execution by design. An attacker can exploit the CSRF weakness to abuse the "Command Preparations" feature, injecting arbitrary commands that will be executed with Administrator privileges when the user launches an application. This could lead to:
- Execution of arbitrary commands with full administrative rights
- Manipulation of system settings or configurations
- Potential installation of malware or creation of backdoor access
- Full compromise of the host system
The vulnerability has a CVSS v3.1 base score of 9.6 (CRITICAL), reflecting its high impact on confidentiality, integrity, and availability, and the fact that it requires only user interaction (visiting a malicious page) without needing prior privileges.
Sample Attack Scenario for CVE-2025-53095
- An attacker crafts a malicious website containing hidden CSRF requests targeting the Sunshine web UI's "Command Preparations" feature.
- A legitimate user, already authenticated to their Sunshine server, visits the malicious website.
- The CSRF payload silently sends requests to Sunshine, injecting commands that Sunshine will execute with administrator privileges.
- The attacker gains control over the system, possibly installing persistent malware or altering system configurations.
CVE-2025-53096 is another vulnerability in Sunshine, related but distinct. Before version 2025.628.4510, Sunshine's web UI lacked protection against Clickjacking attacks. This allows an attacker to embed the Sunshine interface within a malicious website using transparent or disguised iframes. If an authenticated user interacts (clicks) with this malicious page, they may unknowingly perform actions inside Sunshine without their consent.
This vulnerability has a CVSS v3.1 base score of 5.4 (MEDIUM), reflecting a lower but still significant risk. It requires user interaction and does not directly expose confidentiality but can impact integrity and availability by tricking users into unintended operations.
Sample Attack Scenario for CVE-2025-53096
- An attacker creates a malicious website embedding the Sunshine web UI in an invisible iframe.
- An authenticated Sunshine user visits this malicious site.
- The user clicks or interacts with the page, unknowingly triggering Sunshine commands or configurations.
- This leads to unauthorized actions within Sunshine, potentially disrupting services or changing settings.
Mitigation and Recommendations
- Upgrade Sunshine immediately to version 2025.628.4510 or later, where both vulnerabilities have been patched.
- Implement and enforce CSRF protections, such as anti-CSRF tokens in all web forms.
- Add Clickjacking defenses, like setting appropriate HTTP headers (e.g.,
X-Frame-Options
orContent-Security-Policy
frame-ancestors directive). - Restrict and validate all command execution interfaces to minimize risk.
- Monitor web UI access and suspicious interactions to detect exploitation attempts.
- Limit administrative access to the Sunshine web UI to trusted networks or users.
By following these steps, users can protect their systems from these critical and medium-severity vulnerabilities inherent in earlier versions of Sunshine.