CVE-2025-66208 is an OS command injection vulnerability identified in the richdocumentscode proxy component of Collabora Online's built-in CODE Server, which provides document editing features. The vulnerability exists in versions prior to 25.04.702 and is triggered via the proxy.php endpoint when Collabora Online is deployed alongside Nextcloud with an intermediate reverse proxy. The root cause is improper neutralization of special characters in OS commands (CWE-78), allowing attackers to inject and execute arbitrary commands on the underlying operating system. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), but requires partial authentication (AT:P). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H). Exploitation could lead to full system compromise, data theft, or service disruption. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk. The fix is included in Collabora Online version 25.04.702, which should be applied promptly. The vulnerability is tracked under CWE-78, indicating a classic OS command injection flaw due to insufficient input sanitization.

For European organizations, this vulnerability poses a critical risk to data confidentiality, system integrity, and service availability, especially for those using Nextcloud integrated with Collabora Online's built-in CODE Server. Successful exploitation could allow attackers to execute arbitrary commands remotely without authentication, potentially leading to data breaches, ransomware deployment, or complete system takeover. Given the widespread use of Nextcloud in Europe—particularly in government, education, and enterprise sectors—this vulnerability could disrupt critical workflows and compromise sensitive information. The integration with reverse proxies, common in enterprise environments for load balancing and security, may inadvertently expose the vulnerable proxy.php endpoint. The high severity and ease of exploitation underscore the urgency for European organizations to assess their exposure and remediate promptly to avoid operational and reputational damage.

1. Upgrade Collabora Online to version 25.04.702 or later immediately to apply the official patch addressing this vulnerability. 2. Review and restrict access to the proxy.php endpoint by implementing strict network segmentation and firewall rules limiting access only to trusted internal systems. 3. Harden the reverse proxy configuration to validate and sanitize incoming requests, blocking suspicious payloads that could exploit command injection. 4. Employ Web Application Firewalls (WAFs) with custom rules targeting OS command injection patterns specific to Collabora Online proxy requests. 5. Conduct regular security audits and penetration testing focusing on the integration points between Nextcloud, Collabora Online, and reverse proxies. 6. Monitor logs for unusual command execution attempts or anomalous proxy.php access patterns. 7. Educate system administrators about the risks of command injection and the importance of timely patching in integrated document editing environments. 8. If immediate patching is not feasible, consider temporarily disabling the built-in CODE Server or proxy.php endpoint until a fix can be applied.