CVE-2025-49008
CRITICALAtheos < 6.0.4 - OS Command Injection via Execute.php Argument Injection
Title source: llmDescription
Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a `Common::safe_execute` function that sanitizes all arguments using `escapeshellarg()` prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Atheos/Atheos/security/advisories/GHSA-rwc2-4q8c-xj48
Patch x_refsource_misc
https://github.com/Atheos/Atheos/commit/7e6c0eb45fa6d04d786a0037389540f2638fe792
Scores
CVSS v4
9.4
EPSS
0.0051
EPSS Percentile
39.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-88
Status
published
Products (1)
Atheos/Atheos
< 604
Published
Jun 05, 2025
Tracked Since
Feb 18, 2026