Description
A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:9986
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-49521
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2370817
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
64.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 8
0:1.1.11-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 9
0:1.1.11-1.el9ap
Published
Jun 30, 2025
Tracked Since
Feb 18, 2026