How severe is CVE-2025-48069?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.6 out of 10.

What type of vulnerability is CVE-2025-48069?

This is classified as CWE-78, which is a common weakness in software security.

CVE-2025-48069 - MEDIUM Severity | CVSS 6.6

Vulnerability Description

ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding use of `ejson2env` to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from `ejson2env` without removing nonprintable characters.

Related Vulnerabilities

CVE-2018-0643

MEDIUM

CVSS:6.6(Medium)

Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-server) 1:1.4.9+p41-u4jma1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via unspecified vect...

CWE-782018

CVE-2019-6013

MEDIUM

CVSS:6.6(Medium)

DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI).

CWE-782019

CVE-2020-7735

MEDIUM

CVSS:6.6(Medium)

The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.

CWE-782020

CVE-2023-46306

MEDIUM

CVSS:6.6(Medium)

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters ...

CWE-782023

CVE-2023-47220

MEDIUM

CVSS:6.6(Medium)

An OS command injection vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We...

CWE-782023

CVE-2024-50569

MEDIUM

CVSS:6.6(Medium)

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via craft...

CWE-782024