EUVD-2025-17375
GHSA-h92g-3xc3-ww2r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Tags
Description
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
Analysis
Skyvern versions through 0.1.85 contain a server-side template injection (SSTI) vulnerability in the Prompt field of workflow blocks (specifically Navigation v2 Block) that allows authenticated users to inject malicious Jinja2 template expressions. These expressions are evaluated server-side without proper sanitization, enabling blind remote code execution. With a CVSS score of 8.5, this vulnerability requires valid authentication but has high confidentiality impact and crosses trust boundaries (CVSS:3.1/S:C).
Technical Context
The vulnerability stems from improper handling of Jinja2 template input in Skyvern's workflow automation system. Jinja2 is a powerful Python templating engine that supports expression evaluation; when user-supplied input is passed directly to Jinja2's render functions without sanitization, attackers can break out of template context and execute arbitrary Python code. The root cause is classified under CWE-1336 (Improper Neutralization of Special Elements used in a Template Engine), indicating that user input reaches the template rendering engine without adequate filtering or escaping. The affected component (Prompt field in Navigation v2 Block and similar workflow blocks) processes this unsanitized input as template code during workflow execution, allowing expression injection such as `{{ 7*7 }}` or more dangerous payloads leveraging Jinja2's built-in functions and object access to execute system commands.
Affected Products
Skyvern through version 0.1.85 is affected. The vulnerability specifically impacts: Navigation v2 Block (confirmed in description), and likely other workflow blocks with Prompt fields that process user input as Jinja2 templates. CPE identifiers would be: cpe:2.3:a:skyvern:skyvern:*:*:*:*:*:*:*:* (versions <= 0.1.85). Organizations should verify all workflow block types that accept Prompt input; Skyvern documentation should be consulted to identify all affected components. Vendor advisory status and patched version availability require checking Skyvern's official release notes or GitHub repository.
Remediation
1. **Immediate Mitigation**: Restrict access to workflow creation and editing to highly trusted administrators only; audit all existing workflows for suspicious Prompt field content. 2. **Patch**: Upgrade Skyvern to a version > 0.1.85 when available (check https://github.com/skyvern-ai/skyvern or https://skyvern.ai for release notes). 3. **Workaround (if patching delayed)**: Implement server-side input validation on Prompt fields using a whitelist approach—only allow literal strings or use Jinja2's sandbox mode (jinja2.sandbox.SandboxedEnvironment) with restricted builtins and access controls to prevent dangerous object traversal. 4. **Code-level fix**: Developers should sanitize/escape all user input before passing to Jinja2 render(), or use template auto-escaping and disable dynamic code evaluation in template context. 5. **Detection**: Search workflow configurations for suspicious Jinja2 syntax (e.g., `{{`, `{%`, `__import__`, `os.`, `eval`, `popen`) in Prompt fields.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today