Remote Code Execution Vulnerability in Grist by Grist Labs
CVE-2025-64752

6.8MEDIUM

Key Information:

Vendor: Gristlabs
Status: Grist-core
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-64752?

The grist-core application, a server for hosting spreadsheets, is vulnerable to a remote code execution attack when configured with prior versions than 1.7.7. This vulnerability arises when a user gains access to any document within a Grist installation and exploits the URL fetching feature that executes commands on the server. The potential for attack escalation is significant due to the privileged network access granted to these server-side requests. The issue has been successfully mitigated in version 1.7.7, which introduced a proxy feature for untrusted fetches. As a precaution, users are advised to restrict access to HTTP/HTTPS endpoints that could compromise credentials or function without proper authentication.

Affected Version(s)

grist-core < 1.7.7

References

https://github.com/gristlabs/grist-core/security/advisori...

x_refsource_CONFIRM

https://github.com/gristlabs/grist-core/releases/tag/v1.7.7

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

JSON

Gristlabs

What is CVE-2025-64752?

Affected Version(s)

References

CVSS V3.1

Timeline