Cyber Resilience

CVE-2025-49619

HighPublic PoC

Published: 07 June 2025

Published
07 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.7354 98.8th percentile
Risk Priority 61 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-49619 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Github (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Skyvern through version 0.1.85 contains a server-side template injection vulnerability in the Prompt field of workflow blocks such as the Navigation v2 Block. The flaw stems from insufficient sanitization of Jinja2 template expressions supplied by users, which are then evaluated on the server and can result in blind remote code execution.

Authenticated users with access to workflow configuration can supply crafted template expressions to achieve code execution on the server. The CVSS 8.5 rating reflects network attack vector, low attack complexity, and low privileges required, with impacts primarily on confidentiality and limited integrity.

A patch addressing the issue is referenced in the Skyvern commit db856cd8433a204c8b45979c70a4da1e119d949d. Public exploit code is also available via Exploit-DB entry 52335, and detailed analysis appears in the linked technical write-ups. The EPSS score has remained at 0.7354 without a material increase after disclosure.

EU & UK References

Vulnerability details

Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on…

more

the server, leading to blind remote code execution (RCE).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References