Impact
The vulnerability stems from Eclipse Theia's browser backend exposing privileged terminal RPC over WebSocket endpoints (/services/shell-terminal, /services/terminals/:id) without service-level authentication. Because WebSocket origin validation is fail‑open, connections are accepted when no Origin header is present or when no THEIA_HOSTS allowlist is configured. Attackers can therefore open these websockets from a foreign‑origin web page, create terminals, attach to them and execute arbitrary OS commands while reading their output. The impact is full remote code execution for any user who has a running Theia instance.
Affected Systems
Affected systems include Eclipse Theia versions 1.8.1 and later. The default installation without a configured host allowlist or external authentication is vulnerable. Both local developer environments and hosted or tunneled deployments that do not enforce strong authentication are susceptible.
Risk and Exploitability
The CVSS score of 8.8 indicates a high severity, and although EPSS data is not available, the vulnerability is listed in no KEV catalog, suggesting no publicly known exploitation yet. Nevertheless, the drive‑by nature of the attack vector means that a malicious web page visited by a user with an active Theia session can execute code without user interaction. The risk is high for organizations that expose Theia to untrusted network segments or rely on default configurations.
OpenCVE Enrichment