CVE-2025-47788

Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Atheos/Atheos/commit/97fe76871578d2011ebe9281f3a005c5df85162b
https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5
https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5

Configurations

No configuration.

History

19 May 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5 -~~	() https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5 -

16 May 2025, 14:42

Type	Values Removed	Values Added
Summary		(es) Atheos es un IDE en la nube autoalojado y basado en navegador. Antes de la versión v602, al igual que en GHSA-rgjm-6p59-537v/CVE-2025-22152, el parámetro `$target` en `/controller.php` no se validaba correctamente, lo que podía permitir que un atacante ejecutara archivos arbitrarios en el servidor mediante el cruce de rutas. La versión v602 incluye una solución para este problema.

15 May 2025, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-15 20:16

Updated : 2025-05-19 15:15

NVD link : CVE-2025-47788

Mitre link : CVE-2025-47788

CVE.ORG link : CVE-2025-47788

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal

{"id": "CVE-2025-47788", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-15T20:16:09.357", "references": [{"url": "https://github.com/Atheos/Atheos/commit/97fe76871578d2011ebe9281f3a005c5df85162b", "source": "security-advisories@github.com"}, {"url": "https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5", "source": "security-advisories@github.com"}, {"url": "https://github.com/Atheos/Atheos/security/advisories/GHSA-x9vw-6vfx-7rx5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "Atheos is a self-hosted browser-based cloud IDE. Prior to v602, similar to GHSA-rgjm-6p59-537v/CVE-2025-22152, the `$target` parameter in `/controller.php` was not properly validated, which could allow an attacker to execute arbitrary files on the server via path traversal. v602 contains a fix for the issue."}, {"lang": "es", "value": "Atheos es un IDE en la nube autoalojado y basado en navegador. Antes de la versi\u00f3n v602, al igual que en GHSA-rgjm-6p59-537v/CVE-2025-22152, el par\u00e1metro `$target` en `/controller.php` no se validaba correctamente, lo que pod\u00eda permitir que un atacante ejecutara archivos arbitrarios en el servidor mediante el cruce de rutas. La versi\u00f3n v602 incluye una soluci\u00f3n para este problema."}], "lastModified": "2025-05-19T15:15:25.200", "sourceIdentifier": "security-advisories@github.com"}