Cyber Posture

CVE-2025-66208

Critical

Published: 03 December 2025

Published
03 December 2025
Modified
08 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of…

more

Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the RCE vulnerability by requiring timely remediation through patching to version 25.04.702 or later as recommended in the advisory.

SI-10 Information Input Validation good match
prevent

Prevents OS command injection (CWE-78) in the richdocumentscode proxy by enforcing validation and sanitization of inputs to proxy.php.

CM-6 Configuration Settings good match
prevent

Addresses the configuration-dependent nature of the vulnerability by establishing and enforcing secure configuration settings for Collabora Online and Nextcloud integrations to disable or harden the vulnerable proxy setup.

Security SummaryAI

CVE-2025-66208 is a configuration-dependent remote code execution (RCE) vulnerability stemming from OS command injection (CWE-78) in the richdocumentscode proxy of Collabora Online - Built-in CODE Server. This affects versions prior to 25.04.702 and particularly impacts users of Nextcloud integrated with the Collabora Online - Built-in CODE Server app, where exploitation occurs via proxy.php and an intermediate reverse proxy. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for full system compromise.

Unauthenticated attackers with network access can exploit this vulnerability without requiring privileges or user interaction, provided the affected configuration is in place. Successful exploitation enables arbitrary OS command injection through the proxy, granting attackers high-impact control over confidentiality, integrity, and availability of the targeted system.

The official advisory from Collabora Online at https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf confirms the issue and states that it is fixed in version 25.04.702, recommending immediate upgrades for all prior versions in use with Nextcloud integrations.

Details

CWE(s)
CWE-78

Affected Products

collabora
online
≤ 25.04.702

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables unauthenticated RCE via OS command injection in a public-facing web proxy (richdocumentscode proxy in Collabora Online), directly mapping to T1190 (Exploit Public-Facing Application) and facilitating T1059.004 (Unix Shell) execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References