GHSA-6qjf-g333-pv38
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6qjf-g333-pv38
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-6qjf-g333-pv38/GHSA-6qjf-g333-pv38.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6qjf-g333-pv38
- Aliases
- Published
- 2025-07-14T17:55:06Z
- Modified
- 2025-07-15T23:35:17.294403Z
- Severity
-
- 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class
- Details
-
Impact
There is an arbitrary code execution vulnerability in the
CsvEnumeratorclass of thejob-iterationrepository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.Patches
Issue is fixed in versions
1.11.0and above.Workarounds
Users can mitigate the risk by avoiding the use of untrusted input in the
CsvEnumeratorclass and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid callingsizeon enumerators constructed with untrusted CSV filenames. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-78" ], "severity": "HIGH", "github_reviewed_at": "2025-07-14T17:55:06Z", "nvd_published_at": "2025-07-14T20:15:29Z" }- References
-
- https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
- https://nvd.nist.gov/vuln/detail/CVE-2025-53623
- https://github.com/Shopify/job-iteration/pull/595
- https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
- https://github.com/Shopify/job-iteration
- https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/job-iteration/CVE-2025-53623.yml
Affected packages
RubyGems / job-iteration
Package
- Name
- job-iteration
- Purl
- pkg:gem/job-iteration