Command Injection Vulnerability in Ansible Automation Platform's EDA Component
CVE-2025-49520

8.8HIGH

Key Information:

Vendor

Red Hat

Vendor
CVE Published:
30 June 2025

What is CVE-2025-49520?

A security flaw exists in Ansible Automation Platform's EDA component that arises from the improper handling of user-supplied Git URLs. This vulnerability enables an authenticated attacker to inject arbitrary arguments into the git ls-remote command, facilitating the execution of unauthorized commands on the EDA worker. In environments utilizing Kubernetes or OpenShift, this flaw could result in the theft of service account tokens and unauthorized access to the cluster.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49520 : Command Injection Vulnerability in Ansible Automation Platform's EDA Component