CVE-2025-12548
Unknown Unknown - Not Provided
Unauthenticated Remote Command Execution in Eclipse Che che-machine-exec

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Red Hat, Inc.

Description
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12548
EUVD
EUVD-2026-2332
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
red_hat eclipse_che *
red_hat openshift_dev_spaces 3.22.1
red_hat openshift_dev_spaces 3.23.1
red_hat openshift_dev_spaces 3.24.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (including SSH keys and tokens), it could potentially lead to unauthorized access to sensitive data, which may result in non-compliance with data protection regulations that require safeguarding sensitive information. [1, 2, 3, 4]

Executive Summary

This vulnerability in Eclipse Che's che-machine-exec component allows unauthenticated remote attackers to execute arbitrary commands and exfiltrate secrets such as SSH keys and tokens from other users' Developer Workspace containers. It occurs because the JSON-RPC / websocket API is exposed on TCP port 3333 without requiring authentication, enabling attackers on the same network segment to interact with the API and compromise container environments. [1, 2]

Impact Analysis

The vulnerability can lead to unauthorized remote code execution and theft of sensitive information like SSH private keys and tokens from other users' containers. This can result in full compromise of affected Developer Workspace containers, potentially allowing attackers to escalate privileges, move laterally within the network, and access confidential data or systems. [1, 2]

Detection Guidance

You can detect this vulnerability by checking if the Eclipse Che machine-exec API is exposed on TCP port 3333 and listening on all network interfaces (0.0.0.0:3333) without authentication. A common command to check this on a Linux system is: `netstat -tuln | grep 3333` or `ss -tuln | grep 3333`. Additionally, scanning your network for open TCP port 3333 on hosts running Eclipse Che containers can help identify vulnerable instances. [2]

Mitigation Strategies

Immediate mitigation steps include applying the security updates released for Red Hat OpenShift Dev Spaces versions 3.22.1, 3.23.1, or 3.24.1, which address CVE-2025-12548. Ensure that all previously released relevant errata are applied before installing these updates. Restricting access to TCP port 3333 and disabling or securing the unauthenticated JSON-RPC / websocket API exposed on this port can also help mitigate the risk until patches are applied. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart