CVE-2025-49619

{"id": "CVE-2025-49619", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.1}]}, "published": "2025-06-07T14:15:21.573", "references": [{"url": "https://cristibtz.github.io/posts/CVE-2025-49619/", "source": "[email protected]"}, {"url": "https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/52335", "source": "[email protected]"}, {"url": "https://cristibtz.blog/posts/CVE-2025-49619/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE)."}, {"lang": "es", "value": "Skyvern, hasta la versi\u00f3n 0.1.85, es vulnerable a server-side template injection (SSTI) en el campo Prompt de bloques de flujo de trabajo, como el bloque Navigation v2. La depuraci\u00f3n incorrecta de la entrada de plantilla de Jinja2 permite a los usuarios autenticados inyectar expresiones manipuladas que se eval\u00faan en el servidor, lo que provoca la ejecuci\u00f3n remota de c\u00f3digo (RCE) a ciegas."}], "lastModified": "2025-06-17T21:15:40.087", "sourceIdentifier": "[email protected]"}