CVE-2025-49619
BaseFortify
Publication date: 2025-06-07
Last updated on: 2025-06-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a runtime memory leak in the Jinja2 templating engine usage within the Skyvern project. It occurs because the code directly used jinja2.Template to compile templates, which led to unsafe operations and resource leaks during template processing. The issue was fixed by switching to a sandboxed environment (jinja2.sandbox.SandboxedEnvironment) that restricts template execution and prevents such leaks. [1]
How can this vulnerability impact me? :
The vulnerability can cause a runtime memory leak when processing templates, which may lead to increased memory consumption and potential denial of service due to resource exhaustion. Since the CVSS score is 8.5 with high confidentiality impact, it may also allow unauthorized access to sensitive data through the unsafe template execution. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Skyvern software to a version that includes the fix replacing the direct use of `jinja2.Template` with a sandboxed environment from `jinja2.sandbox.SandboxedEnvironment`. This involves applying the patch that changes the import and usage in `sdk/workflow/models/block.py` to use `SandboxedEnvironment` for template compilation, which prevents unsafe operations and runtime memory leaks. [1]