Red Hat has released a security update this week for its Ansible Automation Platform 2.5. The patches fix multiple serious vulnerabilities, including two in the Event‑Driven Ansible (EDA) component and another in the gateway proxy. Here’s what you need to know.
What got fixed
CVE‑2025‑49520 – a critical argument injection flaw in the EDA module. Unsanitized Git URLs could let an authenticated attacker inject extra commands into a git ls-remote call. That could lead to code execution on EDA workers. In Kubernetes or OpenShift setups, it might even allow theft of service account tokens.
CVE‑2025‑49521 – a Jinja2 template injection flaw in the same EDA part. An attacker could craft branch or refspec values containing templates. These get evaluated and allow arbitrary command execution or file access on the EDA worker, again risking service account token exposure .
CVE‑2025‑22871 – a request smuggling issue in the automation gateway proxy and receptor components, due to weak handling of invalid chunked HTTP data .
According to Red Hat, the two EDA flaws received a high severity score of 8.8 (CVSS 3.1). They require only low privileges and can be exploited remotely. The proxy issue is rated “Important.
Who’s affected
Systems running Ansible Automation Platform 2.5 on RHEL 8 or 9, including various architectures (x86_64, s390x, ppc64le, aarch64), are affected. This covers installations via RPM, container-based sets, and EDA controllers
What to do now
- Update to the patched versions listed in RHSA‑2025:9986. That includes new builds for automation‑gateway, automation‑eda‑controller, receptor, and related packages.
- Use vulnerability scanners like Nessus plugin 241026 or Tenable IDS to detect outdated EDA components.
- If you run EDA on Kubernetes/OpenShift, pay extra attention to update now. Don’t rely on network isolation alone.
Why it matters
EDA lets administrators automate tasks based on triggers and events. It’s a key part of modern DevOps workflows. If someone tampered with Git URLs or branch definitions, they could trick the system into running harmful commands. In a Kubernetes context, that could mean access to critical tokens and control over cluster components.
Request smuggling, though less flashy, can bypass proxies or filters and help attackers reach internal services. That may open the door to wider attacks.
Who is affected
The update impacts Ansible Automation Platform 2.5 installations on RHEL 8 and 9, covering all CPU architectures: x86_64, s390x, ppc64le, and aarch64. This applies across RPM-based installs, container setups, and EDA controller components
