{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53623", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-07T14:20:38.387Z", "datePublished": "2025-07-14T19:56:54.995Z", "dateUpdated": "2025-07-15T19:51:01.752Z"}, "containers": {"cna": {"title": "Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38"}, {"name": "https://github.com/Shopify/job-iteration/pull/595", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/job-iteration/pull/595"}, {"name": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55"}, {"name": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0"}], "affected": [{"vendor": "Shopify", "product": "job-iteration", "versions": [{"version": "< 1.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-14T19:56:54.995Z"}, "descriptions": [{"lang": "en", "value": "The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames."}], "source": {"advisory": "GHSA-6qjf-g333-pv38", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-15T15:01:44.187860Z", "id": "CVE-2025-53623", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T19:51:01.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-15T15:01:44.187860Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T13:27:40.200Z"}}], "cna": {"title": "Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class", "source": {"advisory": "GHSA-6qjf-g333-pv38", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Shopify", "product": "job-iteration", "versions": [{"status": "affected", "version": "< 1.11.0"}]}], "references": [{"url": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38", "name": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Shopify/job-iteration/pull/595", "name": "https://github.com/Shopify/job-iteration/pull/595", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55", "name": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0", "name": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-14T19:56:54.995Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53623", "state": "PUBLISHED", "dateUpdated": "2025-07-15T19:51:01.752Z", "dateReserved": "2025-07-07T14:20:38.387Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-14T19:56:54.995Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames."}, {"lang": "es", "value": "La API de iteraci\u00f3n de trabajos es una extensi\u00f3n de ActiveJob que permite interrumpir y reanudar los trabajos. Las versiones anteriores a la 1.11.0 presentan una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en la clase `CsvEnumerator`. Un atacante puede aprovechar esta vulnerabilidad para ejecutar comandos arbitrarios en el sistema donde se ejecuta la aplicaci\u00f3n, lo que podr\u00eda provocar acceso no autorizado, fuga de datos o la vulneraci\u00f3n total del sistema. El problema se ha solucionado en las versiones `1.11.0` y posteriores. Los usuarios pueden mitigar el riesgo evitando el uso de entradas no confiables en la clase `CsvEnumerator` y asegur\u00e1ndose de que las rutas de archivo se depuren y validen correctamente antes de pasarlas a los m\u00e9todos de la clase. Se recomienda a los usuarios evitar el uso del m\u00e9todo `count_of_rows_in_file` con nombres de archivo CSV no confiables."}], "id": "CVE-2025-53623", "lastModified": "2025-07-15T13:14:24.053", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-14T20:15:29.323", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55"}, {"source": "security-advisories@github.com", "url": "https://github.com/Shopify/job-iteration/pull/595"}, {"source": "security-advisories@github.com", "url": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}