Introduction
The Ansible Automation Platform, a cornerstone of enterprise IT automation used globally to manage millions of nodes, faces a critical security threat. A newly discovered vulnerability, CVE-2025-49521, exposes its Event-Driven Ansible (EDA) component to severe risks, including remote command execution and potential theft of highly privileged OpenShift service account tokens.
Technical Information
The core issue lies in the improper evaluation of user-supplied Git branch or refspec values as Jinja2 templates within the EDA component. Without proper sanitization, attackers can inject malicious Jinja2 expressions, enabling arbitrary command execution. For instance, an attacker could exploit this vulnerability with the following payload:
{{ self.__init__.__globals__.__builtins__.eval("import('os').system('id')") }}
In OpenShift environments, this vulnerability is particularly dangerous as it allows attackers to access and exfiltrate service account tokens, potentially granting them extensive control over Kubernetes clusters.
Patch Information
To mitigate this vulnerability, the EDA component has been updated to strictly sanitize and validate Git branch and refspec inputs. This ensures inputs are treated purely as strings, preventing unintended template rendering or code execution. Users are strongly advised to update their Ansible Automation Platform installations to the latest version immediately to incorporate this critical security fix.
Patch sources:
Affected Systems and Versions
- Ansible Automation Platform versions ≤ 2.5 (EL8/EL9)
- All deployments with EDA enabled and utilizing user-supplied Git branch/refspec parameters
Vendor Security History
Red Hat has consistently demonstrated prompt responses to vulnerabilities, typically releasing patches within days of discovery. However, the increasing frequency of vulnerabilities in EDA components underscores the importance of proactive security practices and regular updates.
References
Source: This report was created using AI