Jinja2 Template Injection in Ansible Automation Platform by Red Hat
CVE-2025-49521

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Ansible Automation Platform 2
Vendor: CVE Published:; 30 June 2025

What is CVE-2025-49521?

A vulnerability exists in the EDA component of the Ansible Automation Platform, allowing authenticated users to inject malicious expressions through Git branch or refspec values. When evaluated as Jinja2 templates, these expressions can execute arbitrary commands or gain unauthorized access to sensitive files on the EDA worker. This flaw poses significant risks, particularly in OpenShift environments, where it can lead to the theft of service account tokens.

References

https://access.redhat.com/security/cve/CVE-2025-49521

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2370817

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2025
Vulnerability Reserved
Jun 6, 2025