cbcvebase.
CVE-2025-49520
published 2025-06-30

CVE-2025-49520: A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.48%
38.1th percentile
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for git ls-remote invocations that include injected arguments (e.g., flags or extra parameters) in the command line, originating from EDA worker processes
  • Alert on EDA worker processes spawning unexpected child processes or shell commands, which may indicate successful argument injection via a crafted Git URL
  • In Kubernetes/OpenShift environments, monitor for unauthorized reads of service account token files (e.g., /var/run/secrets/kubernetes.io/serviceaccount/token) from EDA worker pods, which may indicate post-exploitation token theft
  • Audit EDA Project Creation API calls for Git URLs containing shell metacharacters, argument-injection sequences (e.g., --, --upload-pack, --exec), or unusual URL schemes that deviate from standard http/https/git/ssh formats
  • ·Authentication is required to exploit this vulnerability; attack surface is limited to authenticated users of the EDA component who can create or modify projects with Git URLs
  • ·The token theft and cluster access impact is specific to Kubernetes/OpenShift deployments; standalone (non-containerized) EDA deployments may have a reduced blast radius but are still vulnerable to RCE on the worker
  • ·No mitigation is currently available from Red Hat that meets their criteria for ease of use, deployment, and stability; patching is the recommended remediation path

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.