GHSA-6QJF-G333-PV38

Vulnerability from github – Published: 2025-07-14 17:55 – Updated: 2025-08-20 23:15
VLAI?
Summary
Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class
Details

Impact

There is an arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

Patches

Issue is fixed in versions 1.11.0 and above.

Workarounds

Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling count_of_rows_in_file on enumerators constructed with untrusted CSV filenames.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "job-iteration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T17:55:06Z",
    "nvd_published_at": "2025-07-14T20:15:29Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThere is an arbitrary code execution vulnerability in the `CsvEnumerator` class of the `job-iteration` repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.\n\n### Patches\nIssue is fixed in versions `1.11.0` and above.\n\n### Workarounds\nUsers can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling `count_of_rows_in_file` on enumerators constructed with untrusted CSV filenames.",
  "id": "GHSA-6qjf-g333-pv38",
  "modified": "2025-08-20T23:15:29Z",
  "published": "2025-07-14T17:55:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/job-iteration/pull/595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Shopify/job-iteration"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/job-iteration/releases/tag/v1.11.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/job-iteration/CVE-2025-53623.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.