We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-49008

Atheos Improper Input Validation Vulnerability Enables RCE in Common.php



Description

Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.

Reserved 2025-05-29 | Published 2025-06-05 | Updated 2025-06-05 | Assigner GitHub_M


CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

< 604
affected

References

github.com/...Atheos/security/advisories/GHSA-rwc2-4q8c-xj48

github.com/...ommit/7e6c0eb45fa6d04d786a0037389540f2638fe792

cve.org (CVE-2025-49008)

nvd.nist.gov (CVE-2025-49008)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-49008

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.