CVE-2025-53623

The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
https://github.com/Shopify/job-iteration/pull/595
https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-14 20:15

Updated : 2025-07-15 13:14

NVD link : CVE-2025-53623

Mitre link : CVE-2025-53623

CVE.ORG link : CVE-2025-53623

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-53623", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-14T20:15:29.323", "references": [{"url": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55", "source": "security-advisories@github.com"}, {"url": "https://github.com/Shopify/job-iteration/pull/595", "source": "security-advisories@github.com"}, {"url": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames."}, {"lang": "es", "value": "La API de iteraci\u00f3n de trabajos es una extensi\u00f3n de ActiveJob que permite interrumpir y reanudar los trabajos. Las versiones anteriores a la 1.11.0 presentan una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en la clase `CsvEnumerator`. Un atacante puede aprovechar esta vulnerabilidad para ejecutar comandos arbitrarios en el sistema donde se ejecuta la aplicaci\u00f3n, lo que podr\u00eda provocar acceso no autorizado, fuga de datos o la vulneraci\u00f3n total del sistema. El problema se ha solucionado en las versiones `1.11.0` y posteriores. Los usuarios pueden mitigar el riesgo evitando el uso de entradas no confiables en la clase `CsvEnumerator` y asegur\u00e1ndose de que las rutas de archivo se depuren y validen correctamente antes de pasarlas a los m\u00e9todos de la clase. Se recomienda a los usuarios evitar el uso del m\u00e9todo `count_of_rows_in_file` con nombres de archivo CSV no confiables."}], "lastModified": "2025-07-15T13:14:24.053", "sourceIdentifier": "security-advisories@github.com"}