QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-12548

Back to search

CVE-2025-12548

Published: Jan 13, 2026

Modified: Jan 21, 2026

PUBLISHED

CVSS v3.1

9.0

CRITICAL

Description

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.

VendorProductVersions

Red Hat

Red Hat OpenShift Dev Spaces (RHOSDS) 3.22

unaffected
sha256:3de7dd8077a9201eb7ff56c340629184773d6c06de9d6e083e13c5b51a82009c - < *

Red Hat

Red Hat OpenShift Dev Spaces (RHOSDS) 3.23

unaffected
sha256:a6fe7e233fa23e1fff9c74c5d4cbe800534561131b5be59533e88ede24452e3a - < *

Red Hat

Red Hat OpenShift Dev Spaces (RHOSDS) 3.24

unaffected
sha256:ced0e45c01cb5f473deb4fb137249b743b907d27172fbabd223024c4000ba56f - < *

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

RHSA-2025:22620
vendor-advisory
x_refsource_REDHAT
RHSA-2025:22623
vendor-advisory
x_refsource_REDHAT
RHSA-2025:22652
vendor-advisory
x_refsource_REDHAT
RHBZ#2408850
issue-tracking
x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now