Platform
python
Component
event-driven-ansible
Fixed in
*
A critical vulnerability has been identified in the Event-Driven Ansible (EDA) component of the Ansible Automation Platform. This flaw stems from the mishandling of user-supplied Git branch or refspec values, which are evaluated as Jinja2 templates. Successful exploitation allows authenticated users to inject malicious expressions, leading to command execution or sensitive file access on the EDA worker, with potential service account token theft in OpenShift environments. Affected versions include 1.1.11-1.el8ap-*.
The impact of CVE-2025-49521 is significant due to the ability of authenticated users to execute arbitrary commands on the EDA worker. This could lead to complete system compromise, data exfiltration, and disruption of automation workflows. In OpenShift deployments, the vulnerability presents a particularly severe risk, as attackers can potentially steal service account tokens, enabling lateral movement and privilege escalation within the cluster. The ability to access sensitive files further expands the attack surface, potentially exposing credentials, configuration data, or other confidential information. This vulnerability shares similarities with other Jinja2 template injection flaws, where improper sanitization of user input allows for code execution.
CVE-2025-49521 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and potential impact suggest a medium probability of exploitation. The vulnerability was publicly disclosed on 2025-06-30. Active campaigns targeting this vulnerability are not currently confirmed, but security teams should remain vigilant and monitor their Ansible Automation Platform deployments.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49521 is to upgrade to a patched version of Event-Driven Ansible as soon as it becomes available. Until an upgrade is possible, several workarounds can be implemented to reduce the risk. First, strictly restrict the allowed Git branch and refspec input to prevent malicious expressions from being injected. Second, review and minimize the permissions granted to the EDA worker to limit the potential impact of a successful attack. Consider implementing a Web Application Firewall (WAF) or proxy to filter potentially malicious requests. Regularly monitor EDA worker logs for suspicious activity, such as attempts to execute commands or access unauthorized files. After upgrading, confirm the fix by attempting to trigger the vulnerable Git operation with a known malicious payload and verifying that it is properly sanitized.
Actualice Red Hat Ansible Automation Platform a la última versión disponible. Esto solucionará la vulnerabilidad de inyección de plantillas Jinja2. Consulte el aviso de seguridad RHSA-2025:9986 para obtener más detalles e instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49521 is a HIGH severity vulnerability in Event-Driven Ansible allowing authenticated users to inject Jinja2 templates, potentially executing commands or accessing sensitive files on the EDA worker.
If you are using Event-Driven Ansible version 1.1.11-1.el8ap-* or earlier, you are potentially affected by this vulnerability. Upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of Event-Driven Ansible. Until then, restrict Git branch/refspec input and review EDA worker permissions.
Active exploitation is not currently confirmed, but the vulnerability's severity warrants vigilance and proactive mitigation.
Refer to the official Red Hat security advisory for details and updates regarding CVE-2025-49521.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.