Critical severity9.1NVD Advisory· Published Jan 10, 2025· Updated Apr 15, 2026

CVE-2025-22152

Description

Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Atheos/Atheos/security/advisories/GHSA-rgjm-6p59-537vnvd

News mentions

No linked articles in our index yet.

Severity

CriticalCVSS v3.1

9.1/ 10

CVSS v49.4

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

Probability of exploitation in the next 30 days.

0.09%

VYPR risk score

Composite of severity, exploitation, and reach.

0.59high

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-434
Unrestricted Upload of File with Dangerous Type
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2025-22152