CVE-2025-49619

HIGH EXPLOITED

Skyvern SSTI Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2025-49619 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Cristian Branet, cristibtz, Cristian Branet, msutovsky-r7, including a Metasploit module exploits/linux/http/skyvern_ssti_cve_2025_49619.

AI-analyzed exploit summary This exploit leverages a Server-Side Template Injection (SSTI) vulnerability in Skyvern's Workflow Editor to achieve remote code execution via Jinja2 template injection, resulting in a reverse shell.

Description

Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).

Exploits (4)

exploitdb WORKING POC

by Cristian Branet · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52335

View Code ZIP pw:eip

This exploit leverages a Server-Side Template Injection (SSTI) vulnerability in Skyvern's Workflow Editor to achieve remote code execution via Jinja2 template injection, resulting in a reverse shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Skyvern < 0.1.85 (before commit db856cd)

Auth required

Prerequisites: Valid API key for Skyvern · Network access to the target Skyvern instance · Listener set up for reverse shell

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by cristibtz · remote-auth

https://github.com/cristibtz/CVE-2025-49619

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-49619, which leverages Server-Side Template Injection (SSTI) in Skyvern's Workflow Editor to achieve blind remote code execution via a reverse shell. The exploit uses Jinja2 template injection to execute arbitrary commands on the target system.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Skyvern ≤ 0.1.85

Auth required

Prerequisites: Valid Skyvern API key · Network access to the target Skyvern server · Listener set up for reverse shell

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WRITEUP 1 stars

by cristibtz · javapoc

https://github.com/cristibtz/Security-Research/tree/main/CVE-2025-49619

View Code ZIP pw:eip

The repository contains detailed technical reports for multiple CVEs, including CVE-2025-49619 (SSTI in Skyvern Workflow Editor), CVE-2025-62369 (SSTI in Xibo CMS), and CVE-2025-63497 (SQLi in rickxy Hospital Management System). Each report includes root cause analysis, attack scenarios, and technical details but lacks functional exploit code.

Classification

Writeup 100%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Skyvern Workflow Editor (0.1.85), Xibo CMS (<4.3.1), rickxy Hospital Management System (1.0)

Auth required

Prerequisites: Authenticated access to the vulnerable application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Cristian Branet, msutovsky-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/skyvern_ssti_cve_2025_49619.rb

View Code ZIP pw:eip

This Metasploit module exploits a Server-Side Template Injection (SSTI) vulnerability in Skyvern <= 0.1.84, allowing remote code execution via a malicious workflow upload and execution. The exploit uses Python's SSTI payload to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Skyvern <= 0.1.84

Auth required

Prerequisites: Valid API key for Skyvern

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources

https://cristibtz.github.io/posts/CVE-2025-49619/

Various Sources

https://cristibtz.blog/posts/CVE-2025-49619/

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/52335

Patch

https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d

View Patch ZIP pw:eip

Scores

CVSS v3 8.5

EPSS 0.7354

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2025-12-27

CWE

CWE-1336

Status published

Products (2)

pypi/skyvern 0PyPI

Skyvern/Skyvern < 0.1.85

Published Jun 07, 2025

Tracked Since Feb 18, 2026