CVE-2025-49521
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-07-03
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a high-severity template injection flaw in the Event-Driven Ansible (EDA) component of the Ansible Automation Platform. It occurs because user-supplied Git metadata fields like branch, tag, commit, and refspec are directly evaluated as Jinja2 templates without proper sanitization. This allows authenticated users to inject malicious Jinja2 expressions that get executed on the EDA worker node, leading to arbitrary command execution or unauthorized access to sensitive files. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to arbitrary command execution and unauthorized disclosure of sensitive files on the EDA worker node. In OpenShift environments, it can also result in theft of the service account token of the worker pod, which may allow attackers to escalate privileges and gain broader access within the cluster. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious or unexpected Jinja2 template expressions in Git metadata fields such as branch, tag, commit, or refspec during EDA project creation or synchronization. You can inspect logs on the EDA worker node for execution of unusual Jinja2 expressions like '{{ lookup(...) }}'. Additionally, searching for these patterns in configuration files or Git metadata inputs may help identify exploitation attempts. Specific commands might include using grep to find Jinja2 expressions in relevant files or logs, for example: grep -r '{{ lookup' /path/to/eda/projects or journalctl -u eda-worker | grep '{{ lookup'. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or validating user inputs for Git metadata fields (branch, tag, commit, refspec) to prevent injection of Jinja2 expressions. Applying any available patches or updates from the vendor (Ansible Automation Platform) that address this vulnerability is critical. Additionally, limiting access to the EDA worker nodes and monitoring for suspicious activity can reduce risk. In OpenShift environments, securing service account tokens and reviewing pod permissions is also recommended. [1]