EUVD-2025-21387
GHSA-6qjf-g333-pv38
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Lifecycle Timeline
4Description
The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames.
Analysis
CVE-2025-53623 is an arbitrary code execution vulnerability in the Job Iteration API's CsvEnumerator class affecting versions prior to 1.11.0. An unauthenticated remote attacker can execute arbitrary system commands by supplying malicious input to CSV file processing methods, particularly the count_of_rows_in_file method, potentially leading to complete system compromise. The vulnerability has a CVSS score of 8.1 indicating high severity with network-accessible attack vector and no privilege requirements.
Technical Context
The Job Iteration API is a Ruby on Rails extension that augments ActiveJob to provide job interruptibility and resumability features. The vulnerability exists in the CsvEnumerator class, which handles CSV file enumeration and processing. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that untrusted user input is directly incorporated into OS command execution without proper sanitization or validation. The count_of_rows_in_file method appears to construct shell commands using unsanitized CSV filenames or paths, allowing command injection. This is a classic OS command injection vulnerability where file path parameters are not properly escaped before being passed to system-level operations.
Affected Products
Job Iteration API (Ruby gem): versions prior to 1.11.0 are vulnerable. Affected versions include all 1.x releases up to and including 1.10.x. The vulnerability is specifically in the CsvEnumerator class, meaning applications using CSV enumeration features are at highest risk. This impacts Ruby on Rails applications using the job_iteration gem as a dependency. No specific CPE string is provided in available data, but the affected gem can be identified as 'job_iteration' in Bundler/RubyGems package management. Fixed versions: 1.11.0 and above. Affected organizations should inventory dependencies to identify exposure.
Remediation
Immediate remediation: (1) Upgrade Job Iteration API gem to version 1.11.0 or later by updating the Gemfile and running 'bundle update job_iteration'. (2) For applications unable to patch immediately, implement strict input validation on all CSV filenames and file paths before passing them to CsvEnumerator methods, particularly count_of_rows_in_file—use allowlists of permitted file paths and sanitize all user input according to Ruby/Rails security best practices. (3) Avoid using untrusted user input directly as CSV file paths; if user-supplied filenames are necessary, implement a filename mapping system that decouples user input from actual filesystem operations. (4) Apply principle of least privilege to application runtime permissions to limit blast radius if exploitation occurs. (5) Monitor application logs for suspicious patterns in CSV file processing operations that may indicate exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today