A security advisory from the Atheos project has disclosed a critical vulnerability (CVE-2025-22152) that could compromise servers running the web-based IDE framework. With a CVSSv4 score of 9.4, this path traversal flaw exposes users to significant risks, including unauthorized file access, remote code execution, and arbitrary file uploads.
Atheos is a modernized and actively maintained fork of Codiad, a lightweight web-based integrated development environment (IDE). The platform, known for its minimal requirements and modern tooling, allows developers to code in-browser, making it a popular choice for streamlined workflows. However, a critical flaw in versions prior to v559 threatens the integrity and security of Atheos installations.
The advisory explains that improper validation of the $path and $target parameters across multiple components has left the framework vulnerable to path traversal attacks, unauthorized file execution, and arbitrary file uploads. This flaw could allow attackers to read, modify, or execute arbitrary files on the server, potentially leading to a full server compromise.
The advisory notes, “The $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server.”
The security advisory provides examples of how these vulnerabilities can be exploited:
- Path Traversal via
download.phporfilemanager.php
Attackers can use improperly sanitized parameters to access sensitive system files, such as/etc/passwd: - Unauthorized Code Execution via
dialog.php
Malicious dialog files can be created and executed by manipulating path traversal parameters: - Arbitrary File Uploads
Attackers can exploit the$filenameparameter to upload malicious files to unauthorized locations.
The CVE-2025-22152 vulnerabilities impact all Atheos versions prior to v559. Key affected components include:
- traits/checks.php – The core logic for path validation fails to sanitize inputs adequately.
- components/dialog.php– Vulnerable to directory traversal attacks.
- components/transfer/download.php– Enables arbitrary file writes.
- components/transfer/class.transfer.php – Improper validation allows unauthorized dialog execution and malicious uploads.
The root cause, as detailed in the advisory, is a “lack of robust input validation for the path or target parameters.”
The Atheos project has released version 600 to address these vulnerabilities. The patch replaces the flawed path validation logic with stricter sanitization and validation rules across all server-side components. Key improvements include:
- cleanPath– Strips unsafe characters and normalizes paths to prevent traversal.
- checkPath– Validates paths against user permissions and allowed directories.
Users are strongly advised to upgrade to version 600 or later to mitigate these critical risks.
