CVE-2025-6193 is a command injection vulnerability identified in the TrustyAI Explainability toolkit, specifically affecting the Red Hat OpenShift AI (RHOAI) platform. The vulnerability arises from improper neutralization of special elements used in operating system commands within the LMEValJob custom resource (CR). When a user with permissions to deploy a custom resource crafts a malicious LMEValJob, arbitrary OS commands can be executed within the terminal of the LMEvalJob pod. This means that an attacker who can create or modify LMEValJob CRs can inject shell commands that the system will execute, potentially leading to unauthorized actions on the underlying host or container environment. The vulnerability has a CVSS v3.1 score of 5.9, categorized as medium severity. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C), with low confidentiality, integrity, and availability impacts individually, but combined with scope change, it implies that the vulnerability can affect resources beyond the initially vulnerable component. No known exploits in the wild have been reported yet. The vulnerability affects version 0 of the product, which likely refers to an initial or early release of RHOAI. Since the vulnerability requires a user with permissions to deploy CRs and some user interaction, exploitation is somewhat limited to insiders or authorized users with elevated privileges. However, the impact of successful exploitation can be significant, allowing arbitrary command execution within the pod environment, which could lead to lateral movement, data leakage, or disruption of AI workloads. The vulnerability is particularly relevant in Kubernetes/OpenShift environments where custom resources are used to manage AI workloads, and where multi-tenant or shared cluster environments exist. Improper input sanitization in the LMEValJob resource fields is the root cause, allowing injection of shell metacharacters or commands.

For European organizations using Red Hat OpenShift AI (RHOAI) or the TrustyAI Explainability toolkit, this vulnerability poses a risk of unauthorized command execution within AI workload pods. This can lead to compromise of AI model integrity, leakage of sensitive data processed by AI workloads, or disruption of AI services critical to business operations. In regulated industries such as finance, healthcare, or critical infrastructure, such compromise could violate compliance requirements (e.g., GDPR) and cause reputational damage. The requirement for high privileges to deploy CRs limits exposure to insider threats or attackers who have already gained elevated access. However, in large organizations with many administrators or automated deployment pipelines, the risk of accidental or malicious exploitation increases. The potential for scope change means that an attacker could leverage this vulnerability to affect other components or services within the cluster, amplifying the impact. Given the increasing adoption of AI and container orchestration platforms in Europe, this vulnerability could affect organizations relying on AI explainability tools for model transparency and compliance. Disruption or manipulation of these tools could undermine trust in AI systems and lead to operational or legal consequences.

1. Restrict permissions to deploy or modify LMEValJob custom resources strictly to trusted administrators and service accounts. Implement the principle of least privilege for Kubernetes RBAC policies. 2. Apply input validation and sanitization on all fields of the LMEValJob CR to neutralize special characters or command injection vectors before processing. 3. Monitor and audit creation and modification of LMEValJob resources for anomalous or unexpected entries that could indicate exploitation attempts. 4. Use container security best practices such as running pods with minimal privileges, disabling shell access where possible, and employing security contexts to limit command execution capabilities. 5. Keep Red Hat OpenShift AI and TrustyAI Explainability toolkit updated with the latest patches once available from Red Hat. 6. Employ network segmentation and pod security policies to isolate AI workloads and reduce lateral movement risk. 7. Implement runtime security monitoring tools that can detect suspicious command execution or process spawning within pods. 8. Educate administrators and DevOps teams about the risks of deploying untrusted custom resources and enforce code reviews for CR definitions.