Arbitrary Code Execution Vulnerability in Job Iteration API for ActiveJob by Shopify
CVE-2025-53623

8.1HIGH

Key Information:

Vendor

Shopify

Status
Job-iteration
Vendor
CVE Published:
14 July 2025

What is CVE-2025-53623?

The Job Iteration API, an extension for ActiveJob, is affected by a vulnerability in the CsvEnumerator class that allows for arbitrary code execution. Attackers can exploit this vulnerability to execute unauthorized commands on the server where the application is hosted, potentially leading to data leakage or complete system takeover. This issue has been patched in version 1.11.0 and later. Users are advised to refrain from using untrusted inputs within the CsvEnumerator class and to ensure that file paths are rigorously sanitized before processing them. Caution is particularly recommended with the count_of_rows_in_file method when handling untrusted CSV filenames.

Affected Version(s)

job-iteration < 1.11.0

References

https://github.com/Shopify/job-iteration/security/advisor...
x_refsource_CONFIRM
https://github.com/Shopify/job-iteration/pull/595
x_refsource_MISC
https://github.com/Shopify/job-iteration/commit/1a7adfdd0...
x_refsource_MISC

CVSS V4

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.