| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 23 Jul 2025 06:35:31 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"f0d69ef88d01eddaaa03ff05967f687d"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=Xs0B2Wqn7QR2vpkL%2FB52OYIJA7M2C%2B3b5SU2%2FIKTc%2BqF4ob03R4eHb%2FcQUe1hAiqV9d%2FLtOYEmKe05m%2FVVF4uJYkKt1fn9zkFW11TDm1PNRxnE%2B5mAWOYTWp%2FaZ2%2B5b2HvMmvaEYDu9wKgmS1PNIorgvzJ38%2FPuLIIexubQlOLLDXKE1VHH9O2tmKCg5LwNwL6vqVLljC56vpIrA9dZUAPs5B5i1xh8OxJ9exvLB6P8RNlncbeLfpTY7ap07PYUGYCrKkaXZX4%2BvTxN50BULIQ%3D%3D--5Oc5RU89PmIWxOsY--EujWwSNAt6ok%2FknBIJAxQw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.951274516.1753252531; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 06:35:31 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 23 Jul 2026 06:35:31 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: 9EEC:1C6D98:53E4A8:6BEC9A:688082B3
Clickjacking in the UI leads to unauthorized actions being performed · Advisory · LizardByte/Sunshine · GitHub
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Clickjacking in the UI leads to unauthorized actions being performed
Moderate
Package
Sunshine
Affected versions
<=v2025.122.141614
Patched versions
2025.628.4510
Description
Severity
Moderate
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVE ID
CVE-2025-53096
Weaknesses
Weakness CWE-1021
Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. Learn more on MITRE.Credits
-
axfla Remediation developer
-
ReenigneArcher Remediation verifier
You can’t perform that action at this time.
Summary
The web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent.
Specifically, this flaw could be exploited to abuse features from the Troubleshooting page. An attacker could trick the user into clicking a hidden "Unpair All" button, resulting in the removal of all clients associated with the Sunshine instance. This could lead to service disruption, loss of remote access capabilities, and require reconfiguration of the affected clients. This could also be exploited to trick a user into restarting the Sunshine instance, or changing the configuration of the Sunshine instance from the "Configuration" tab.
Details
The application uses Basic Authentication, which is inherently vulnerable to Clickjacking attacks in Chromium-based browsers when combined with the lack of proper UI framing protections.
Because the Sunshine UI can be embedded within a malicious website using an invisible iframe, an attacker could trick an authenticated user into clicking hidden interface elements, such as "Unpair" buttons or configuration options. This could result in unauthorized actions being performed on behalf of the user like unpairing trusted clients from the Sunshine instance, leading to loss of access and potential disruption of service.
To mitigate this issue, the application should implement defenses such as the
X-Frame-OptionsorContent-Security-Policy: frame-ancestorsheaders to prevent the UI from being embedded in third-party pages.Impact
An attacker can exploit the lack of Clickjacking protections in the Sunshine web UI to perform actions as an authenticated user, such as unpairing the clients, changing the configuration or restarting the Sunshine instance. The vulnerability can be exploited remotely over the internet without the Sunshine instance being directly exposed.
Fix
The bug was patched by 2f27a57.