CVE-2025-53623
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-14

Last updated on: 2025-07-15

Assigner: GitHub, Inc.

Description
The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-14
Last Modified
2025-07-15
Generated
2026-05-07
AI Q&A
2025-07-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53623
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopify job-iteration 1.11.0
shopify job-iteration 1.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-53623 is a security vulnerability in the CsvEnumerator class of the Shopify job-iteration Ruby gem (versions prior to 1.11.0). It allows an attacker to execute arbitrary system commands on the host by exploiting improper handling of untrusted input, specifically CSV filenames. This happens because the vulnerable code interpolated filenames directly into shell commands, enabling command injection. The vulnerability is fixed in version 1.11.0 by replacing unsafe shell command usage with native Ruby file handling methods and by sanitizing inputs. [1, 2, 3, 4]


How can this vulnerability impact me? :

This vulnerability can lead to an attacker executing arbitrary commands on the system running the affected application. This can result in unauthorized access, data leakage, or complete system compromise, potentially allowing the attacker to control or damage the system. [3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the version of the job-iteration gem in use. Versions prior to 1.11.0 are vulnerable. Additionally, inspecting usage of the CsvEnumerator class, especially the method count_of_rows_in_file with untrusted CSV filenames, can help identify potential exploitation. Since the vulnerability involves command injection via shell commands, monitoring for unusual shell command executions related to CSV file processing might help. Specific commands to detect the vulnerability include checking the gem version with `gem list job-iteration` or inspecting the codebase for usage of vulnerable methods. There are no direct network detection commands provided. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the job-iteration gem to version 1.11.0 or later, where the vulnerability is fixed. Avoid using untrusted input in the CsvEnumerator class, especially avoid passing untrusted CSV filenames to the count_of_rows_in_file method. Sanitize and validate all file paths before passing them to CsvEnumerator methods. The fix replaces unsafe shell command usage with native Ruby methods, so upgrading ensures these safer methods are used. [2, 3, 4]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart