CVE-2025-49008

Name of the Vulnerable Software and Affected Versions Atheos versions prior to 6.0.4

Description Atheos is a self-hosted browser-based cloud integrated development environment. The improper use of escapeshellcmd() in /components/codegit/traits/execute.php allows argument injection, leading to arbitrary command execution. Administrators and users of vulnerable versions are at risk of data breaches or server compromise. Version 6.0.4 introduces a Common::safe execute function that sanitizes all arguments using escapeshellarg() prior to execution and migrated all components potentially vulnerable to similar exploits to use this new templated execution system.

Recommendations Update to version 6.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the /components/codegit/traits/execute.php endpoint until the update is applied. Avoid using the escapeshellcmd() function in sensitive operations until the Common::safe execute function is implemented.