Overview
A critical vulnerability, identified as CVE-2025-66208, has been discovered in Collabora Online’s Built-in CODE Server (richdocumentscode). This vulnerability, affecting versions prior to 25.04.702, allows for Configuration-Dependent Remote Code Execution (RCE) via OS Command Injection within the richdocumentscode proxy. Specifically, users leveraging the Nextcloud Collabora Online – Built-in CODE Server app are susceptible to attack through the `proxy.php` file and an intermediate reverse proxy.
Technical Details
The vulnerability stems from insufficient sanitization of input passed to the `proxy.php` script within the Collabora Online Built-in CODE Server. An attacker can exploit this weakness by crafting malicious requests that, when processed by the reverse proxy and passed to the Collabora Online server, allow for the execution of arbitrary operating system commands. The specific attack vector involves manipulating configuration parameters that are subsequently used in shell commands. This configuration-dependent nature means the exact exploit conditions will vary based on specific server setups and configurations.
CVSS Analysis
Due to the absence of a CVSS score provided in the initial disclosure, the severity of this vulnerability is currently considered N/A. However, given the potential for Remote Code Execution, it is strongly advised to treat this vulnerability as critical and apply the recommended mitigation steps immediately. Awaiting official CVSS scoring may unnecessarily delay remediation.
Possible Impact
Successful exploitation of CVE-2025-66208 can have severe consequences, including:
- Complete System Compromise: An attacker can gain full control of the server hosting the Collabora Online instance.
- Data Breach: Sensitive data stored on the server can be accessed, modified, or exfiltrated.
- Denial of Service: The attacker can disrupt or completely shut down the Collabora Online service, impacting productivity and collaboration.
- Lateral Movement: Compromised servers can be used as a launchpad to attack other systems within the network.
Mitigation and Patch Steps
The vulnerability is addressed in version 25.04.702 of Collabora Online. To mitigate the risk, it is imperative to upgrade to this version or a later release as soon as possible. Follow these steps:
- Backup your Collabora Online instance: Before applying any updates, create a full backup to ensure data recovery in case of unforeseen issues.
- Upgrade Collabora Online: Update the Collabora Online – Built-in CODE Server app to version 25.04.702 or later. Refer to the official Collabora Online documentation for detailed upgrade instructions.
- Verify the installation: After the upgrade, confirm that the updated version is running correctly and that all features are functioning as expected.
- Monitor for suspicious activity: Continuously monitor your systems for any signs of compromise or unauthorized access.
Note: If upgrading is not immediately feasible, consider temporarily disabling the Collabora Online – Built-in CODE Server app as a temporary workaround. However, this will disable document editing capabilities.
