CVE-2025-66208
Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy
Description
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.
INFO
Published Date :
Dec. 3, 2025, 6:25 p.m.
Last Modified :
Dec. 3, 2025, 6:25 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2025-66208
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update Collabora Online CODE Server to version 25.04.702.
- Ensure all intermediate reverse proxies are secured.
- Review proxy.php configurations for any weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-66208 vulnerability anywhere in the article.