CVE-2025-48069
📋 TL;DR
CVE-2025-48069 is a command injection vulnerability in ejson2env versions before 2.0.8 where insufficient output sanitization allows malicious content in variable names or values to execute arbitrary commands when the output is evaluated. This affects systems using ejson2env to decrypt and export EJSON secrets as environment variables, particularly in CI/CD pipelines or automation scripts that process the tool's output.
💻 Affected Systems
- ejson2env
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary command execution as the user running ejson2env, potentially leading to data theft, lateral movement, or complete host takeover.
Likely Case
Limited command execution in automated environments where ejson2env output is piped to shell evaluation, allowing attackers to manipulate secrets processing pipelines.
If Mitigated
No impact if using version 2.0.8+ or properly sanitizing output before evaluation.
🎯 Exploit Status
Exploitation requires both malicious EJSON secrets and vulnerable usage patterns where output is evaluated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.8
Vendor Advisory: https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6
Restart Required: No
Instructions:
1. Update ejson2env: 'npm update -g ejson2env' or equivalent package manager command. 2. Verify version: 'ejson2env --version' should show 2.0.8 or higher.
🔧 Temporary Workarounds
Sanitize output before evaluation
linuxFilter non-printable characters from ejson2env output before passing to shell evaluation.
ejson2env decrypt secrets.ejson | tr -cd '\11\12\15\40-\176' | source /dev/stdin
Avoid direct evaluation
linuxWrite output to temporary file and source carefully instead of direct piping.
ejson2env decrypt secrets.ejson > /tmp/secrets.sh && source /tmp/secrets.sh && rm /tmp/secrets.sh
🧯 If You Can't Patch
- Only decrypt trusted EJSON secrets from verified sources
- Never pipe ejson2env output directly to eval, source, or shell execution
🔍 How to Verify
Check if Vulnerable:
Check ejson2env version: 'ejson2env --version' - if below 2.0.8, vulnerable.Check Version:
ejson2env --versionVerify Fix Applied:
After update, confirm version is 2.0.8+ and test with known safe EJSON file.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution following ejson2env usage
- Shell history showing ejson2env piped to eval/source
Network Indicators:
- Unusual outbound connections from systems running ejson2env
SIEM Query:
process.name:ejson2env AND process.cmdline:*eval* OR process.cmdline:*source*