CVE-2025-5988

Summary

A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.

Affected Software

VendorProductVersion RangeStatus
0 < 2.5.20250730affected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 80:2.5.20250730-2.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 90:2.5.20250730-2.el9ap < *unaffected

Weaknesses

  • CWE-352: Cross-Site Request Forgery (CSRF)

Workarounds

Use HTTPS on the platform ingress if possible.

Since this is a problem in edge-terminated AAP deployments where requests have TLS terminated right before the platform ingress, enforce trusted origins before requests reach the gateway.

A tool such as a Web-application firewall should be able to manage this issue.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References