

Multiple Linux Kernel Vulnerabilities
May 12, 2025
Patchwork APT Group – Active IOCs
May 12, 2025
Multiple Linux Kernel Vulnerabilities
May 12, 2025
Patchwork APT Group – Active IOCs
May 12, 2025Severity
High
Analysis Summary
A newly discovered vulnerability, CVE-2025-47269, has raised serious security concerns for users of Code-Server, a tool that allows developers to run Visual Studio Code (VS Code) directly in the browser. With a CVSS score of 8.3, this vulnerability is classified as high severity and requires immediate action from all users.
code-server is a widely popular open-source project that brings the power of desktop VS Code to the web, giving developers the flexibility to write and manage code remotely on any device. However, this convenience can come at a cost when security bugs are present.
The core issue lies in how code-server handles something called the proxy subpath. This feature is intended to help developers access services running on their local machine via the browser. Unfortunately, the implementation of this feature lacks proper checks, particularly around how port numbers and domain names are handled in URLs.
An attacker can craft a malicious URL. When this URL is clicked, code-server may accidentally proxy the request to test@evil.com/path a server controlled by the attacker. Since the user’s session cookie is included in the request, the attacker can intercept it. That cookie is like a digital key; if someone gets it, they can unlock the full session.
With access to the session token, the attacker can log into the code-server instance without any password or login step, just like the real user. From there, they can:
- Read, edit, or delete source code
- Upload or install malicious files or software
- Gain access to the server environment running code-server
- Use the machine to attack other systems in the network
In simple terms, this vulnerability allows a malicious actor to take full control of a developer’s working environment, a major risk for both individual users and organizations using Code-Server in production environments.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-47269
Remediation
- Update to code-server version v4.99.4 or newer immediately.
- Never click on untrusted or suspicious code-server links.
- Run code-server behind authentication layers (e.g., reverse proxy with auth).
- Disable public access to code-server unless absolutely necessary.
- Regularly audit logs for abnormal activity.
- Use strong, unique credentials and enable 2FA where supported.
- Restrict or disable proxy sub path usage unless absolutely necessary.
- Apply strict URL validation and domain allow listing to prevent redirection to unauthorized domains.