Skip to content

Commit 098479f

Browse files
jasnowpostmodern
authored andcommitted
GHSA SYNC: 1 brand new advisory
1 parent 386b1cf commit 098479f

File tree

1 file changed

+40
-0
lines changed

1 file changed

+40
-0
lines changed

gems/job-iteration/CVE-2025-53623.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
gem: job-iteration
3+
cve: 2025-53623
4+
ghsa: 6qjf-g333-pv38
5+
url: https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
6+
title: Job Iteration API is vulnerable to OS Command Injection attack
7+
through its CsvEnumerator class
8+
date: 2025-07-14
9+
description: |
10+
### Impact
11+
12+
There is an arbitrary code execution vulnerability in the
13+
`CsvEnumerator` class of the `job-iteration` repository. This
14+
vulnerability can be exploited by an attacker to execute arbitrary
15+
commands on the system where the application is running, potentially
16+
leading to unauthorized access, data leakage, or complete system
17+
compromise.
18+
19+
### Patches
20+
21+
Issue is fixed in versions `1.11.0` and above.
22+
23+
### Workarounds
24+
25+
Users can mitigate the risk by avoiding the use of untrusted input
26+
in the `CsvEnumerator` class and ensuring that any file paths are
27+
properly sanitized and validated before being passed to the class
28+
methods. Users should avoid calling `size` on enumerators
29+
constructed with untrusted CSV filenames.
30+
cvss_v4: 8.1
31+
patched_versions:
32+
- ">= 1.11"
33+
related:
34+
url:
35+
- https://nvd.nist.gov/vuln/detail/CVE-2025-53623
36+
- https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
37+
- https://github.com/Shopify/job-iteration/pull/595
38+
- https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
39+
- https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
40+
- https://github.com/advisories/GHSA-6qjf-g333-pv38

0 commit comments

Comments
 (0)