CVE-2025-49619
CVE-2025-49619
In short
Skyvern allows authenticated users to inject malicious code into workflow prompts that gets executed on the server. An attacker with access can run arbitrary commands on the affected system.
Technical detail
Server-side template injection (SSTI) in Jinja2 template processing within workflow block prompts (e.g., Navigation v2 Block) due to insufficient input sanitization. Authenticated attackers can inject crafted expressions evaluated server-side, resulting in blind remote code execution with the privileges of the application process.
Summary generated and translated by AI from the official description.
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected products
Skyvern · Skyvernpublic PoCs found — 3
githubgithub.com/cristibtz/CVE-2025-49619★ 2cve_referencecristibtz.blog/posts/CVE-2025-49619/unverifiedcve_referencewww.exploit-db.com/exploits/52335unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →