CVE-2025-49520

Summary

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 80:1.1.11-1.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 90:1.1.11-1.el9ap < *unaffected

Weaknesses

  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References