CVE-2025-53623 – job-iteration

Package

Manager: gem
Name: job-iteration
Vulnerable Version: >=0 <1.11

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00085 pctl0.25479

Details

Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class ### Impact There is an arbitrary code execution vulnerability in the `CsvEnumerator` class of the `job-iteration` repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. ### Patches Issue is fixed in versions `1.11.0` and above. ### Workarounds Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling `count_of_rows_in_file` on enumerators constructed with untrusted CSV filenames.

Metadata

Created: 2025-07-14T17:55:06Z
Modified: 2025-08-20T23:15:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-6qjf-g333-pv38/GHSA-6qjf-g333-pv38.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-6qjf-g333-pv38
Finding: F404
Auto approve: 1