Red Hat Ansible Automation Platform 2.5 Template Injection Vulnerability (CVE-2025-49521)

Key Information Vulnerability ID: CVE-2025-49521 Vulnerability Type: Template Injection via Git Branch and Refspec in EDA Projects Reported Time: 2025-06-06 15:39 UTC Modified Time: 2025-06-30 21:20 UTC Priority: high Severity: high Affected Products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 and Red Hat Ansible Automation Platform 2.5 for RHEL 9 Fix Advisory: RHSA-2025:9986 Vulnerability Description: - During the creation of EDA projects in Ansible Automation Platform, Git metadata fields (branch, tag, commit, refspec) are vulnerable to template injection. - User input is directly passed to Ansible Jinja2 templates and evaluated without proper sanitization. - Attackers can inject expressions such as or , which are executed during project synchronization. - This leads to arbitrary command execution and file disclosure on EDA workers. In OpenShift environments, attackers can obtain the Service Account Token used by worker pods and escalate privileges within the cluster. Remediation: - The issue has been resolved in the following products: - Red Hat Ansible Automation Platform 2.5 for RHEL 8 - Red Hat Ansible Automation Platform 2.5 for RHEL 9 - For more details, see RHSA-2025:9986: https://access.redhat.com/errata/RHSA-2025:9986

Goal Reached Thanks to every supporter — we hit 100%!

Red Hat Ansible Automation Platform 2.5 Template Injection Vulnerability (CVE-2025-49521)