How to fix CVE-2025-66208?

Within 24 hours: Verify which Nextcloud instances run richdocumentscode versions prior to 25.04.702 and assess exposure. Within 7 days: Apply vendor patch 25.04.702 or later across all affected environments; test in staging first. Within 30 days: Conduct security audit of Nextcloud instances for unauthorized access logs and verify patch deployment completion across the organization.

Is PHP affected by CVE-2025-66208?

Collabora Online users running versions before 25.04.702 face critical remote code execution risk through the built-in CODE Server proxy, potentially allowing attackers to execute arbitrary OS commands on affected Nextcloud instances.

CVE-2025-66208

EUVD-2025-201097 CRITICAL

2025-12-03 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-201097

Patch Released

Mar 15, 2026 - 16:14 nvd

Patch available

CVE Published

Dec 03, 2025 - 19:15 nvd

CRITICAL 9.8

Description

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

Analysis

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

Affected Products

Affected products: Collabora Online

Remediation

A vendor patch is available — apply it immediately. Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +49

POC: 0

CVE-2025-66208 vulnerability details – vuln.today

Back

CVE-2025-66208

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-66208

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code