CVE-2025-49520
published 2025-06-30CVE-2025-49520: A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.48%
38.1th percentile
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for git ls-remote invocations that include injected arguments (e.g., flags or extra parameters) in the command line, originating from EDA worker processes ↗
- →Alert on EDA worker processes spawning unexpected child processes or shell commands, which may indicate successful argument injection via a crafted Git URL ↗
- →In Kubernetes/OpenShift environments, monitor for unauthorized reads of service account token files (e.g., /var/run/secrets/kubernetes.io/serviceaccount/token) from EDA worker pods, which may indicate post-exploitation token theft ↗
- →Audit EDA Project Creation API calls for Git URLs containing shell metacharacters, argument-injection sequences (e.g., --, --upload-pack, --exec), or unusual URL schemes that deviate from standard http/https/git/ssh formats ↗
- ·Authentication is required to exploit this vulnerability; attack surface is limited to authenticated users of the EDA component who can create or modify projects with Git URLs ↗
- ·The token theft and cluster access impact is specific to Kubernetes/OpenShift deployments; standalone (non-containerized) EDA deployments may have a reduced blast radius but are still vulnerable to RCE on the worker ↗
- ·No mitigation is currently available from Red Hat that meets their criteria for ease of use, deployment, and stability; patching is the recommended remediation path ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
event-driven-ansible: Authenticated Argument Injection in Git URL in EDA Project Creation
vendor_redhat·2025-06-30·CVSS 8.8
CVE-2025-49520 [HIGH] CWE-88 event-driven-ansible: Authenticated Argument Injection in Git URL in EDA Project Creation
event-driven-ansible: Authenticated Argument Injection in Git URL in EDA Project Creation
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service accoun
GHSA
GHSA-wxwr-926x-hcq6: A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command
ghsa_unreviewed·2025-06-30
CVE-2025-49520 [HIGH] CWE-88 GHSA-wxwr-926x-hcq6: A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-30
Published