This security advisory from Red Hat details the 3.20.0 release of OpenShift Dev Spaces, which includes fixes for three notable vulnerabilities: CVE-2024-12905 (path traversal via malicious tar files in tar-fs), CVE-2025-22868 (unexpected memory consumption during token parsing in golang.org/x/oauth2/jws), and CVE-2025-22869 (denial of service in the key exchange of golang.org/x/crypto/ssh). The release updates all relevant containers to address these issues and is based on Eclipse Che 7.100 with support for devfile v2.1 and v2.2. Users still on devfile v1 are advised to migrate promptly. The advisory emphasizes applying all previously released errata before updating and notes that Dev Spaces updates require running on the latest two OpenShift 4 EUS releases.

The vulnerabilities fixed in this release could allow an attacker to perform path traversal attacks via crafted tar files, potentially leading to unauthorized file access or modification (CVE-2024-12905). The memory consumption issue during token parsing (CVE-2025-22868) could lead to resource exhaustion, impacting service availability. The denial of service vulnerability in the SSH key exchange (CVE-2025-22869) could disrupt secure communications, affecting the availability of the Dev Spaces environment. These issues collectively pose a high severity risk to the confidentiality, integrity, and availability of the affected OpenShift Dev Spaces environments.

Red Hat has released OpenShift Dev Spaces 3.20.0 which includes fixes for the identified vulnerabilities. Users should apply this update promptly after ensuring all previous errata relevant to their system have been applied. The advisory provides detailed instructions for applying updates and recommends migrating from devfile v1 to v2.1 or v2.2 standards. Users must also keep their OpenShift platform updated to the latest two 4 EUS releases to continue receiving Dev Spaces updates and security fixes. No additional mitigation steps are indicated beyond applying the official update.