Ansible EDA Event Streams Header Leakage (CVE-2025-9908)
CVE-2025-9908 Published on February 27, 2026
Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.
Vulnerability Analysis
CVE-2025-9908 is exploitable with local system access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 14 days later.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-9908 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-9908
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
Red Hat Ansible Automation Platform 2.5 for RHEL 8:- Version 0:3.1.1-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.2-1.1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:0.1.4-1.el8ap and below * is unaffected.
- Version 0:1.1.14-1.el8ap and below * is unaffected.
- Version 0:4.10.10-1.el8ap and below * is unaffected.
- Version 0:2.13.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:0.4.0-1.el8ap and below * is unaffected.
- Version 0:4.2.26-1.el8ap and below * is unaffected.
- Version 0:2.1.2-1.el8ap and below * is unaffected.
- Version 0:0.4.36-2.el8ap and below * is unaffected.
- Version 0:4.10.10-1.el8ap and below * is unaffected.
- Version 0:23.0.0-1.el8ap and below * is unaffected.
- Version 0:1.6.0-1.el8ap and below * is unaffected.
- Version 0:9.0.1-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.el8ap and below * is unaffected.
- Version 0:3.8.0-1.el8ap and below * is unaffected.
- Version 0:0.2.15-1.el8ap and below * is unaffected.
- Version 0:0.4.2-1.el8ap and below * is unaffected.
- Version 0:25.12.0-1.2.el8ap and below * is unaffected.
- Version 0:4.15.0-1.el8ap and below * is unaffected.
- Version 0:3.1.1-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.2-1.1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:0.1.4-1.el9ap and below * is unaffected.
- Version 0:1.1.14-1.el9ap and below * is unaffected.
- Version 0:4.10.10-1.el9ap and below * is unaffected.
- Version 0:2.13.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:0.4.0-1.el9ap and below * is unaffected.
- Version 0:4.2.26-1.el9ap and below * is unaffected.
- Version 0:2.1.2-1.el9ap and below * is unaffected.
- Version 0:0.4.36-2.el9ap and below * is unaffected.
- Version 0:4.10.10-1.el9ap and below * is unaffected.
- Version 0:23.0.0-1.el9ap and below * is unaffected.
- Version 0:1.6.0-1.el9ap and below * is unaffected.
- Version 0:9.0.1-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.el9ap and below * is unaffected.
- Version 0:3.8.0-1.el9ap and below * is unaffected.
- Version 0:0.2.15-1.el9ap and below * is unaffected.
- Version 0:0.4.2-1.el9ap and below * is unaffected.
- Version 0:25.12.0-1.2.el9ap and below * is unaffected.
- Version 0:4.15.0-1.el9ap and below * is unaffected.
- Version 0:1.2.1-1.el9ap and below * is unaffected.
- Version sha256:07673470fb62db8bec12ec20b2500228c0c6d5108916dd936d91e10610b783d1 and below * is unaffected.
- Version sha256:142125ce7f176ce4d9755f3124714bbfd8e10a687378988761d5451bd135ca76 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.