Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of escapeshellcmd() in /components/codegit/traits/execute.php allows argument injection, leading to arbitrary command execution. Atheos administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a Common::safe_execute function that sanitizes all arguments using escapeshellarg() prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.
AnalysisAI
Critical command injection vulnerability in Atheos IDE versions prior to 6.0.4, stemming from improper use of escapeshellcmd() in the Git component that allows argument injection leading to arbitrary command execution. The vulnerability affects Atheos administrators and users on vulnerable versions who can be compromised through a network-based attack requiring high privileges (authenticated admin access). An authenticated attacker with administrative rights can execute arbitrary system commands, potentially leading to complete server compromise, data breaches, and lateral movement within the hosting infrastructure.
Technical ContextAI
The vulnerability exists in /components/codegit/traits/execute.php where the Atheos IDE improperly implements shell command execution using PHP's escapeshellcmd() function. The root cause (CWE-78: Improper Neutralization of Special Elements used in an OS Command) stems from inadequate input sanitization before passing user-controlled arguments to shell execution contexts. While escapeshellcmd() removes special characters that have special meaning to shell, it fails to properly quote/escape individual arguments, allowing attackers to inject additional command arguments. The fix introduced in version 6.0.4 replaces this with escapeshellarg(), which properly quotes each argument individually and escapes any quotes within the argument, preventing argument injection attacks. Atheos (CPE: software:atheos) is a self-hosted, browser-based IDE with Git integration capabilities, making the vulnerable Git component a critical attack surface for authenticated users.
RemediationAI
Upgrade Atheos to version 6.0.4 or later immediately; details: Version 6.0.4 introduces the Common::safe_execute function that uses escapeshellarg() for proper argument sanitization and migrates all vulnerable execution paths to this templated system. Workaround: Restrict administrative access in Atheos; details: Limit the number of accounts with administrator privileges; implement strict access controls and audit logging for admin accounts; use multi-factor authentication if available. Mitigation: Network segmentation and monitoring; details: Restrict network access to Atheos instances to trusted networks only; monitor and log all Git operations and administrative actions; implement intrusion detection for suspicious command patterns. Code-level fix: Manual remediation if immediate patching is not possible; details: Review /components/codegit/traits/execute.php and replace all escapeshellcmd() usage with escapeshellarg() for individual arguments, or implement the Common::safe_execute template function from version 6.0.4.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16939