CVE-2025-12548

Name of the Vulnerable Software and Affected Versions Eclipse Che versions (affected versions not specified)

Description A flaw exists in Eclipse Che che-machine-exec that permits unauthenticated remote arbitrary command execution and secret exfiltration, including SSH keys and tokens, from other users' Developer Workspace containers. This is possible through an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. The issue allows attackers to gain full command execution and steal secrets across workspaces.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.