Unauthenticated Remote Command Execution in Eclipse Che by Red Hat
CVE-2025-12548

9CRITICAL

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Dev Spaces (rhosds) 3.22; Red Hat Openshift Dev Spaces (rhosds) 3.23; Red Hat Openshift Dev Spaces (rhosds) 3.24; Red Hat Openshift Dev Spaces
Vendor: CVE Published:; 13 January 2026

🔔 Create Red Hat Vulnerability Alert

What is CVE-2025-12548?

A security weakness exists in Eclipse Che's che-machine-exec component. This flaw permits unauthorized remote execution of commands and potential exfiltration of sensitive secrets, such as SSH keys and tokens, from the Developer Workspace containers of other users. The issue arises from an unprotected JSON-RPC/websocket API accessible through TCP port 3333. Proper safeguards and monitoring are crucial to mitigate the risks associated with this vulnerability.

Affected Version(s)

Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 sha256:e617fc6d1cf09cc3a27898b278ddb0c00f3e9d619f93c927e71c9b4a3a3cdf36

Red Hat OpenShift Dev Spaces (RHOSDS) 3.23 sha256:a6fe7e233fa23e1fff9c74c5d4cbe800534561131b5be59533e88ede24452e3a

Red Hat OpenShift Dev Spaces (RHOSDS) 3.24 sha256:18e08f6cf87349707efe99e95b1029ff084f0824ab16515aac98302dda906eea

References

https://access.redhat.com/errata/RHSA-2025:22620

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2025:22623

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2025:22652

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Oct 31, 2025

Credit

Red Hat would like to thank Richard Leach (LME) for reporting this issue.

.