CVE-2025-48069: Insufficient input sanitization in ejson2env
(updated )
The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.
References
- github.com/Shopify/ejson2env
- github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840
- github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6
- github.com/advisories/GHSA-2c47-m757-32g6
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ejson2env/CVE-2025-48069.yml
- nvd.nist.gov/vuln/detail/CVE-2025-48069
Code Behaviors & Features
Detect and mitigate CVE-2025-48069 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →