CVE-2025-6193 identifies an OS command injection vulnerability in the TrustyAI Explainability toolkit, a component integrated within Red Hat OpenShift AI (RHOAI). The flaw arises from improper neutralization of special elements in input fields of the LMEValJob custom resource (CR). Specifically, when a user with deployment permissions creates or modifies an LMEValJob CR with maliciously crafted input, arbitrary OS commands can be executed within the terminal of the LMEvalJob pod. This vulnerability leverages the Kubernetes custom resource mechanism, where the LMEValJob pod processes the CR fields insecurely, allowing injection of shell commands. The CVSS 3.1 score is 5.9 (medium), reflecting network attack vector, low attack complexity, but requiring high privileges and user interaction. The vulnerability affects version 0 of the product, indicating early or initial releases. Exploitation could lead to partial confidentiality loss, integrity compromise, and availability degradation of the pod and potentially the cluster environment if lateral movement occurs. No public exploits or patches are currently documented, but the vulnerability is published and should be addressed promptly. The issue highlights the importance of input validation and secure coding practices in Kubernetes CRDs and AI explainability toolkits.

The vulnerability allows an authenticated user with permissions to deploy custom resources to execute arbitrary OS commands within the LMEValJob pod. This can lead to unauthorized access to sensitive data processed by the pod, modification or deletion of critical files, and disruption of AI explainability services. If the attacker escalates privileges or moves laterally within the cluster, the impact could extend to broader system compromise, affecting the integrity and availability of AI workloads and potentially other OpenShift components. Organizations relying on RHOAI for AI model explainability and deployment may face operational disruptions, data breaches, and loss of trust in AI outputs. The medium severity rating reflects the requirement for authenticated access and user interaction, limiting exposure to internal or trusted users rather than external unauthenticated attackers. However, in environments with weak RBAC or insider threats, the risk is significant.

1. Apply vendor patches or updates as soon as they become available to fix the input validation flaw in the TrustyAI Explainability toolkit. 2. Restrict permissions to deploy or modify LMEValJob custom resources using Kubernetes Role-Based Access Control (RBAC) to only trusted administrators. 3. Implement admission controllers or policy enforcement tools (e.g., OPA Gatekeeper) to validate and sanitize inputs in custom resources before deployment. 4. Monitor audit logs for unusual creation or modification of LMEValJob CRs and unexpected pod behaviors. 5. Isolate AI workloads in dedicated namespaces with strict network policies to limit lateral movement. 6. Conduct regular security reviews of custom resource definitions and their handling code to detect injection risks. 7. Educate developers and operators on secure coding and deployment practices for Kubernetes CRDs and AI toolkits.