CVE-2025-64753

Name of the Vulnerable Software and Affected Versions grist-core versions prior to 1.7.7

Description grist-core is a spreadsheet hosting server. A user with limited read access to a document could access endpoints that reveal hashes for different versions of the document and obtain a complete list of changes between versions, including data they were not authorized to view. This issue was addressed by restricting access to the /compare endpoint to users with full read access. The vulnerable endpoint is /compare. The affected data includes cells, columns, and tables. A workaround involves removing sensitive document history using the /states/remove endpoint, or blocking the /compare endpoint.

Recommendations Update to version 1.7.7 or later. As a workaround, remove sensitive document history using the /states/remove endpoint. Block the /compare endpoint.