CVE-2025-49008

216.73.216.233

· Published 05/06/2025 01:15 · Modified 05/06/2025 20:12

Labels: CVE-2025-49008 2025-06-05 CVE-2025-49008 CWE-78 [email protected]

Essential information

Published: 05/06/2025 01:15
Modified: 05/06/2025 20:12
Author: —
Creator: —
CVSS: 9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
atheos / atheos	`cpe:2.3:a:atheos:atheos::::::::`