GSA_kwCzR0hTQS02cWpmLWczMzMtcHYzOM4ABKHO

High CVSS: 8.1 EPSS: 0.00078% (0.23919 Percentile) EPSS:

Permalink JSON

Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class

Affected Packages	Affected Versions	Fixed Versions
rubygems:job-iteration	< 1.11	1.11
1 Dependent packages 5 Dependent repositories 6,050,828 Downloads total Affected Version Ranges All affected versions 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0 All unaffected versions 1.11.0

Impact

There is an arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

Patches

Issue is fixed in versions 1.11.0 and above.

Workarounds

Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling size on enumerators constructed with untrusted CSV filenames.

References:

Identifiers

GHSA-6qjf-g333-pv38

CVE-2025-53623

Risk

Severity

High

CVSS

CVSS Score: 8.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS

EPSS Percentage: 0.00078

EPSS Percentile: 0.23919

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/Shopify/job-iteration

Date and time

Published

16 days ago

Updated

15 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories