CVE-2025-68952 - Vulnerability Details - OpenCVE

Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Eigent-ai	Eigent

No data.

No data.

References

Link	Providers
https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4

History

Mon, 29 Dec 2025 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Eigent-ai Eigent-ai eigent
Vendors & Products		Eigent-ai Eigent-ai eigent

Mon, 29 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 27 Dec 2025 00:45:00 +0000

Type	Values Removed	Values Added
Description		Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61.
Title		1-click Remote Code Execution (RCE) vulnerability in Eigent
Weaknesses		CWE-94
References		https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-27T00:37:08.917Z

Updated: 2025-12-29T15:53:36.804Z

Reserved: 2025-12-26T16:46:35.335Z

Link: CVE-2025-68952

Vulnrichment

Updated: 2025-12-29T15:53:32.230Z

NVD

Status : Awaiting Analysis

Published: 2025-12-27T01:15:42.853

Modified: 2025-12-29T15:57:37.560

Link: CVE-2025-68952

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68952", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-26T16:46:35.335Z", "datePublished": "2025-12-27T00:37:08.917Z", "dateUpdated": "2025-12-29T15:53:36.804Z"}, "containers": {"cna": {"title": "1-click Remote Code Execution (RCE) vulnerability in Eigent", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4"}], "affected": [{"vendor": "eigent-ai", "product": "eigent", "versions": [{"version": "= 0.0.60", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-27T00:37:08.917Z"}, "descriptions": [{"lang": "en", "value": "Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61."}], "source": {"advisory": "GHSA-pwcx-28p4-rmq4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-29T15:53:19.095871Z", "id": "CVE-2025-68952", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-29T15:53:36.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68952", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-29T15:53:19.095871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-29T15:53:32.230Z"}}], "cna": {"title": "1-click Remote Code Execution (RCE) vulnerability in Eigent", "source": {"advisory": "GHSA-pwcx-28p4-rmq4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "eigent-ai", "product": "eigent", "versions": [{"status": "affected", "version": "= 0.0.60"}]}], "references": [{"url": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4", "name": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-27T00:37:08.917Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68952", "state": "PUBLISHED", "dateUpdated": "2025-12-29T15:53:36.804Z", "dateReserved": "2025-12-26T16:46:35.335Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-27T00:37:08.917Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61."}], "id": "CVE-2025-68952", "lastModified": "2025-12-29T15:57:37.560", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-12-27T01:15:42.853", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}