Main Vulnerability Database SB2025120346

SB2025120346 - Missing authentication in Eclipse Che machine-exec API

Published: December 3, 2025

Security Bulletin ID SB2025120346

Severity

Critical

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2025-12548)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to CHE machine-exec API is exposed by default on port 3333/TCP and does not require authentication. A remote non-authenticated attacker can obtain SSH private keys that are configured by other devspaces user and compromise the affected system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2408850