CVE-2025-49619
📋 TL;DR
Skyvern versions through 0.1.85 have a server-side template injection vulnerability in workflow block prompt fields. Authenticated attackers can inject malicious Jinja2 templates that execute arbitrary code on the server, leading to full system compromise. This affects all Skyvern deployments running vulnerable versions.
💻 Affected Systems
- Skyvern
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system takeover, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Authenticated attackers gain shell access on the Skyvern server, allowing them to steal credentials, manipulate workflows, and access internal systems.
If Mitigated
With proper network segmentation and least privilege, impact limited to the Skyvern application server only.
🎯 Exploit Status
Exploit requires authenticated access but payloads are simple Jinja2 template injections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit db856cd8433a204c8b45979c70a4da1e119d949d
Vendor Advisory: https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d
Restart Required: Yes
Instructions:
1. Update Skyvern to version after commit db856cd8433a204c8b45979c70a4da1e119d949d. 2. Restart the Skyvern service. 3. Verify prompt field inputs are properly sanitized.
🔧 Temporary Workarounds
Disable vulnerable workflow blocks
allTemporarily disable Navigation v2 Block and other workflow blocks with prompt fields until patched.
Modify Skyvern configuration to disable vulnerable blocks
Input validation middleware
allImplement additional input validation layer to block Jinja2 template syntax in prompt fields.
Add custom validation regex to block {{, }}, {% and %} patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Skyvern servers from critical systems
- Apply strict least privilege access controls and monitor all authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check if Skyvern version is 0.1.85 or earlier and test prompt fields for Jinja2 template execution.Check Version:
Check Skyvern version in application interface or deployment configurationVerify Fix Applied:
Verify Skyvern version is after commit db856cd8433a204c8b45979c70a4da1e119d949d and test that Jinja2 templates no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual Jinja2 template patterns in prompt field logs
- Suspicious system commands in application logs
- Multiple failed template execution attempts
Network Indicators:
- Unexpected outbound connections from Skyvern server
- Unusual data exfiltration patterns
SIEM Query:
source="skyvern" AND ("{{" OR "}}" OR "{%" OR "%}") AND event="prompt_submission"