What is the CVSS score of CVE-2025-53623?

CVE-2025-53623 has a CVSS 4.0 base score of 8.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U. EPSS exploitation probability: 0.2%.

Which versions of Ruby are affected by CVE-2025-53623?

A critical vulnerability in the Job Iteration API (CVE-2025-53623) allows attackers to execute arbitrary code on systems running affected versions prior to 1.11.0.. A patch is available.

How to fix or mitigate CVE-2025-53623?

Within 24 hours: Audit all systems using Job Iteration API versions prior to 1.11.0 and identify which applications process CSV files from untrusted sources; implement immediate input validation and file path sanitization for any CsvEnumerator usage. Within 7 days: Disable or restrict the count_of_rows_in_file method if currently in use with external CSV sources; implement network segmentation to limit lateral movement if exploitation occurs. Within 30 days: Upgrade to version 1.11.0 or above once available; conduct full security testing before deployment to production.

Ruby CVE-2025-53623

EUVD-2025-21387 HIGH

OS Command Injection (CWE-78)

2025-07-14 security-advisories@github.com

GHSA-6qjf-g333-pv38

RCE Ruby Information Disclosure

8.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 09:43 euvd

EUVD-2025-21387

Analysis Generated

Mar 16, 2026 - 09:43 vuln.today

CVE Published

Jul 14, 2025 - 20:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the CsvEnumerator class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions 1.11.0 and above. Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the count_of_rows_in_file method with untrusted CSV filenames.

AnalysisAI

CVE-2025-53623 is an arbitrary code execution vulnerability in the Job Iteration API's CsvEnumerator class affecting versions prior to 1.11.0. An unauthenticated remote attacker can execute arbitrary system commands by supplying malicious input to CSV file processing methods, particularly the count_of_rows_in_file method, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.1 indicating high severity with network-accessible attack vector and no privilege requirements.

Technical ContextAI

The Job Iteration API is a Ruby on Rails extension that augments ActiveJob to provide job interruptibility and resumability features. The vulnerability exists in the CsvEnumerator class, which handles CSV file enumeration and processing. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that untrusted user input is directly incorporated into OS command execution without proper sanitization or validation. The count_of_rows_in_file method appears to construct shell commands using unsanitized CSV filenames or paths, allowing command injection. This is a classic OS command injection vulnerability where file path parameters are not properly escaped before being passed to system-level operations.

RemediationAI

Immediate remediation: (1) Upgrade Job Iteration API gem to version 1.11.0 or later by updating the Gemfile and running 'bundle update job_iteration'. (2) For applications unable to patch immediately, implement strict input validation on all CSV filenames and file paths before passing them to CsvEnumerator methods, particularly count_of_rows_in_file—use allowlists of permitted file paths and sanitize all user input according to Ruby/Rails security best practices. (3) Avoid using untrusted user input directly as CSV file paths; if user-supplied filenames are necessary, implement a filename mapping system that decouples user input from actual filesystem operations. (4) Apply principle of least privilege to application runtime permissions to limit blast radius if exploitation occurs. (5) Monitor application logs for suspicious patterns in CSV file processing operations that may indicate exploitation attempts.

CVE-2025-53623 vulnerability details – vuln.today

Back