CVE-2025-12548
Unauthenticated Remote Command Execution in Eclipse Che che-machine-exec
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | eclipse_che | * |
| red_hat | openshift_dev_spaces | 3.22.1 |
| red_hat | openshift_dev_spaces | 3.23.1 |
| red_hat | openshift_dev_spaces | 3.24.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (including SSH keys and tokens), it could potentially lead to unauthorized access to sensitive data, which may result in non-compliance with data protection regulations that require safeguarding sensitive information. [1, 2, 3, 4]
Can you explain this vulnerability to me?
This vulnerability in Eclipse Che's che-machine-exec component allows unauthenticated remote attackers to execute arbitrary commands and exfiltrate secrets such as SSH keys and tokens from other users' Developer Workspace containers. It occurs because the JSON-RPC / websocket API is exposed on TCP port 3333 without requiring authentication, enabling attackers on the same network segment to interact with the API and compromise container environments. [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized remote code execution and theft of sensitive information like SSH private keys and tokens from other users' containers. This can result in full compromise of affected Developer Workspace containers, potentially allowing attackers to escalate privileges, move laterally within the network, and access confidential data or systems. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the Eclipse Che machine-exec API is exposed on TCP port 3333 and listening on all network interfaces (0.0.0.0:3333) without authentication. A common command to check this on a Linux system is: `netstat -tuln | grep 3333` or `ss -tuln | grep 3333`. Additionally, scanning your network for open TCP port 3333 on hosts running Eclipse Che containers can help identify vulnerable instances. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security updates released for Red Hat OpenShift Dev Spaces versions 3.22.1, 3.23.1, or 3.24.1, which address CVE-2025-12548. Ensure that all previously released relevant errata are applied before installing these updates. Restricting access to TCP port 3333 and disabling or securing the unauthenticated JSON-RPC / websocket API exposed on this port can also help mitigate the risk until patches are applied. [1, 3, 4]