Sunshine Cross-Site Request Forgery Vulnerability Allowing Command Injection as Administrator

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Sunshine, a self-hosted game stream host for Moonlight, prior to version 2025.628.4510. The issue arises because the web UI lacks adequate protection against CSRF attacks, allowing an attacker to create a malicious web page that, when accessed by an authenticated user, can perform unintended actions within the Sunshine application on that user's behalf. This vulnerability is particularly concerning because the application is designed to execute operating system commands, which can be exploited to misuse the 'Command Preparations' feature. As a result, an attacker could inject arbitrary commands that would be executed with Administrator privileges when an application is launched.

Impact

Exploitation of this vulnerability allows for command injection as an Administrator on the machine running Sunshine. This is particularly impactful because the CSRF can be triggered over the internet without needing an exposed Sunshine instance.

Reproduction

To reproduce this vulnerability, an authenticated user must be tricked into visiting a crafted web page that exploits the CSRF weakness. This can be done by creating a malicious page that sends a request to the Sunshine application, including the necessary 'Authorization: Basic ...' header. Once the user visits the page, the Sunshine application will execute the injected commands with Administrator privileges.

Remediation

Users can update to Sunshine version 2025.628.4510 or later, where this vulnerability has been patched.