Atheos Path Traversal Vulnerability in Controller.php Allowing Arbitrary File Execution
Vulnerability
A path traversal vulnerability has been identified in Atheos, a self-hosted cloud IDE, in versions prior to 602. The issue arises in the 'controller.php' file, where the '$target' parameter is not properly validated. This lack of validation can allow an attacker to execute arbitrary files on the server by exploiting directory traversal. The vulnerability is similar to CVE-2025-22152.
Impact
Exploitation of this vulnerability could lead to unauthorized file execution on the server, potentially allowing for remote code execution.
Reproduction
To reproduce this vulnerability, an authorized user must send a POST request to 'controller.php' with a crafted 'target' parameter that includes path traversal sequences. The 'target' value should be manipulated to traverse directories and access sensitive files or execute malicious scripts.
Remediation
Users should update to Atheos version 602 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.