5.4 CVE-2025-53096
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.
https://nvd.nist.gov/vuln/detail/CVE-2025-53096
Categories
CWE-1021 : Improper Restriction of Rendered UI Layers or Frames
A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.
References
security-advisories@github.com Patch
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:* |
|
< 2025.628.4510 |
REMEDIATION
Patch
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 103 |
Clickjacking
An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system. [Craft a clickjacking page] The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page [Adversary lures victim to clickjacking page] Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas. [Trick victim into interacting with the clickjacking page in the desired manner] The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege. |
High |
| 181 |
Flash File Overlay
An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes. |
Medium |
| 222 |
iFrame Overlay
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. [Craft an iFrame Overlay page] The adversary crafts a malicious iFrame overlay page. [adversary tricks victim to load the iFrame overlay page] adversary utilizes some form of temptation, misdirection or coercion to trick the victim to loading and interacting with the iFrame overlay page in a way that increases the chances that the victim will visit the malicious page. [Trick victim into interacting with the iFrame overlay page in the desired manner] The adversary tricks the victim into clicking on the areas of the UI which contain the hidden action controls and thereby interacts with the target system maliciously with the victim's level of privilege. |
High |
| 504 |
Task Impersonation
An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges. [Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information. [Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges. |
High |
| 506 |
Tapjacking
An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with. |
Low |
| 587 |
Cross Frame Scripting (XFS)
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls. |
High |
| 654 |
Credential Prompt Impersonation
An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials. [Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing their credentials. [Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials. |
High |
MITRE
Techniques
| id |
description |
| T1036.004 |
Masquerading: Masquerade Task or Service |
| T1056 |
Input Capture |
| T1548.004 |
Abuse Elevation Control Mechanism: Elevated Execution with Prompt |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1038 |
System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
