Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-57728

CVE-2025-57728: JetBrains IntelliJ IDEA Disclosure Flaw

CVE-2025-57728 is an information disclosure vulnerability in JetBrains IntelliJ IDEA that allows Code With Me guests to access hidden files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-57728 Overview

CVE-2025-57728 is an improper access control vulnerability in JetBrains IntelliJ IDEA versions before 2025.2. The flaw resides in the Code With Me collaborative development feature. A guest participant in a Code With Me session can discover hidden files that the host did not intend to share. The issue is categorized under [CWE-863: Incorrect Authorization]. JetBrains addressed the vulnerability in IntelliJ IDEA 2025.2. The Exploit Prediction Scoring System (EPSS) probability is 0.231%, indicating a low near-term likelihood of active exploitation.

Critical Impact

A remote Code With Me guest can enumerate hidden files on the host developer's workspace without additional privileges, leading to unintended disclosure of sensitive project artifacts.

Affected Products

  • JetBrains IntelliJ IDEA versions prior to 2025.2
  • Code With Me collaborative sessions hosted from vulnerable IntelliJ IDEA builds
  • Developer workstations running IntelliJ IDEA with Code With Me enabled

Discovery Timeline

  • 2025-08-20 - CVE-2025-57728 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-57728

Vulnerability Analysis

The vulnerability affects the Code With Me feature, which enables real-time collaboration between a host developer and one or more guests. Access control checks within the collaboration layer fail to restrict visibility to files marked as hidden. A guest connected to a shared session can enumerate files that should remain outside the collaboration scope. The exposure is limited to file discovery and does not, on its own, grant read access to file contents beyond what the collaboration protocol permits. The flaw is network-reachable through the Code With Me service and requires no prior authentication beyond joining the session.

Root Cause

The root cause is incorrect authorization ([CWE-863]) in the Code With Me sharing logic. Filesystem enumeration paths did not consistently apply the host's visibility rules when serving directory listings to guests. Hidden files, which are typically excluded from IDE views, were returned to guests through a code path that bypassed the intended access filter.

Attack Vector

An attacker joins a Code With Me session as a guest, either via an invited link or by leveraging a session identifier obtained through social engineering. Once connected, the guest issues collaboration protocol requests that list project files. The response includes hidden files that the host did not intend to expose. No user interaction from the host is required beyond starting the collaboration session.

No public proof-of-concept exploit code is available for CVE-2025-57728. See the JetBrains Security Issues Fixed advisory for vendor details.

Detection Methods for CVE-2025-57728

Indicators of Compromise

  • Code With Me sessions initiated from IntelliJ IDEA builds earlier than 2025.2 where unknown or unexpected guests joined.
  • Guest client requests enumerating directories that contain dotfiles or other hidden artifacts (for example .env, .git, .idea).
  • Outbound network traffic from developer workstations to the Code With Me relay service correlated with unusual session durations.

Detection Strategies

  • Inventory IntelliJ IDEA installations across developer endpoints and flag versions earlier than 2025.2.
  • Review Code With Me audit logs for sessions where guests requested directory listings outside expected project scope.
  • Correlate IDE process telemetry with network connections to JetBrains collaboration endpoints to identify sessions on vulnerable builds.

Monitoring Recommendations

  • Alert on execution of idea.exe or idea64.exe versions below 2025.2 on managed developer endpoints.
  • Monitor for unexpected Code With Me guest connections outside business hours or from unrecognized geographies.
  • Log and review invitations sent from the Code With Me feature to ensure only authorized collaborators join sessions.

How to Mitigate CVE-2025-57728

Immediate Actions Required

  • Upgrade all IntelliJ IDEA installations to version 2025.2 or later on every developer workstation.
  • Terminate any active Code With Me sessions running on vulnerable builds until the upgrade is complete.
  • Rotate any secrets or credentials that may have resided in hidden files exposed during past collaboration sessions.

Patch Information

JetBrains fixed the improper access control issue in IntelliJ IDEA 2025.2. Refer to the JetBrains Security Issues Fixed page for the official advisory. Deploy the update through the JetBrains Toolbox App or your organization's software distribution system.

Workarounds

  • Disable the Code With Me plugin in IntelliJ IDEA until the upgrade to 2025.2 is completed.
  • Restrict Code With Me sessions to trusted collaborators and require full-access permission approval before sharing.
  • Store sensitive artifacts such as .env files and credentials outside project directories that are opened during Code With Me sessions.
bash
# Verify installed IntelliJ IDEA version on Linux/macOS
idea --version

# Disable Code With Me plugin via command line (path may vary by OS)
rm -rf ~/.config/JetBrains/IntelliJIdea*/plugins/code-with-me

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.