File tree Expand file tree Collapse file tree 1 file changed +40
-0
lines changed Expand file tree Collapse file tree 1 file changed +40
-0
lines changed Original file line number Diff line number Diff line change
1
+ ---
2
+ gem : job-iteration
3
+ cve : 2025-53623
4
+ ghsa : 6qjf-g333-pv38
5
+ url : https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
6
+ title : Job Iteration API is vulnerable to OS Command Injection attack
7
+ through its CsvEnumerator class
8
+ date : 2025-07-14
9
+ description : |
10
+ ### Impact
11
+
12
+ There is an arbitrary code execution vulnerability in the
13
+ `CsvEnumerator` class of the `job-iteration` repository. This
14
+ vulnerability can be exploited by an attacker to execute arbitrary
15
+ commands on the system where the application is running, potentially
16
+ leading to unauthorized access, data leakage, or complete system
17
+ compromise.
18
+
19
+ ### Patches
20
+
21
+ Issue is fixed in versions `1.11.0` and above.
22
+
23
+ ### Workarounds
24
+
25
+ Users can mitigate the risk by avoiding the use of untrusted input
26
+ in the `CsvEnumerator` class and ensuring that any file paths are
27
+ properly sanitized and validated before being passed to the class
28
+ methods. Users should avoid calling `size` on enumerators
29
+ constructed with untrusted CSV filenames.
30
+ cvss_v4 : 8.1
31
+ patched_versions :
32
+ - " >= 1.11"
33
+ related :
34
+ url :
35
+ - https://nvd.nist.gov/vuln/detail/CVE-2025-53623
36
+ - https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
37
+ - https://github.com/Shopify/job-iteration/pull/595
38
+ - https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
39
+ - https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
40
+ - https://github.com/advisories/GHSA-6qjf-g333-pv38
You can’t perform that action at this time.
0 commit comments