CVE-2025-49521
📋 TL;DR
This vulnerability allows authenticated users of Ansible Automation Platform's EDA component to inject malicious Jinja2 templates via Git branch or refspec values. Successful exploitation enables remote code execution and sensitive file access on EDA workers, potentially leading to service account token theft in OpenShift environments. Affected users include organizations using vulnerable versions of Ansible Automation Platform with EDA enabled.
💻 Affected Systems
- Ansible Automation Platform
- Red Hat Ansible Automation Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of EDA worker nodes, theft of service account tokens in OpenShift environments leading to cluster-wide compromise, and lateral movement to other systems.
Likely Case
Authenticated attackers executing arbitrary commands on EDA workers, accessing sensitive files, and potentially escalating privileges within the automation platform.
If Mitigated
Limited impact with proper network segmentation, minimal service account permissions, and restricted user access to EDA components.
🎯 Exploit Status
Exploitation requires authenticated access to the Ansible Automation Platform and knowledge of Git branch/refspec parameter injection. The vulnerability is in template evaluation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ansible Automation Platform 2.4.8, 2.3.12, or 2.2.19
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:9986
Restart Required: Yes
Instructions:
1. Update to patched version via Red Hat Satellite or repository. 2. Apply the update to all controller and EDA worker nodes. 3. Restart affected services including automation controller and EDA services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Git-based event sources
linuxTemporarily disable or remove Git-based event source configurations in EDA until patching can be completed.
ansible-automation-platform-manager disable-git-events
Restrict user permissions
allLimit which users can create or modify EDA rulebooks and event sources to only trusted administrators.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EDA workers from sensitive systems.
- Apply principle of least privilege to service accounts and restrict file system access on EDA workers.
🔍 How to Verify
Check if Vulnerable:
Check Ansible Automation Platform version: 'rpm -q ansible-automation-platform' and verify if it's below 2.4.8, 2.3.12, or 2.2.19.Check Version:
rpm -q ansible-automation-platform --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify version is 2.4.8, 2.3.12, or 2.2.19 or higher: 'rpm -q ansible-automation-platform' and check for version string.📡 Detection & Monitoring
Log Indicators:
- Unusual Git branch names containing Jinja2 template syntax in EDA logs
- Unexpected command execution patterns from EDA worker processes
- Failed authentication attempts followed by Git event source modifications
Network Indicators:
- Unusual outbound connections from EDA workers to external systems
- Suspicious file transfers from EDA worker nodes
SIEM Query:
source="eda.log" AND ("git branch" OR "refspec") AND ("{{.*}}" OR "{%")