CVE-2025-48069

Published: May 21, 2025

Modified: May 21, 2025

PUBLISHED

CVSS v3.1

6.6

MEDIUM

Description

ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding use of `ejson2env` to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from `ejson2env` without removing nonprintable characters.

Vendor	Product	Versions
Shopify	ejson2env	affected `< 2.0.8`

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6

x_refsource_CONFIRM

https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-48069

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References