Ansible EDA Git ls-remote Injection Enables Command Exec
CVE-2025-49520 Published on June 30, 2025
Event-driven-ansible: authenticated argument injection in git url in eda project creation
A flaw was found in Ansible Automation Platforms EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
Vulnerability Analysis
CVE-2025-49520 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 24 days later.
Weakness Type
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CVE-2025-49520 has been classified to as an Argument Injection vulnerability or weakness.
Products Associated with CVE-2025-49520
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat Ansible Automation Platform 2.5 for RHEL 8:- Version 0:1.1.11-1.el8ap and below * is unaffected.
- Version 0:1.1.11-1.el9ap and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.