The advisory covers two vulnerabilities affecting Red Hat Ansible Automation Platform 2.5: CVE-2025-47273 is a path traversal vulnerability in the setuptools PackageIndex used by the automation-controller, and CVE-2025-48432 is a path injection vulnerability in the python3.11-django package. Both vulnerabilities relate to improper handling of file path inputs, which could be exploited to access or manipulate files outside intended directories. Red Hat has issued updates for the automation-controller, python3.11-django, and related components to fix these issues. The advisory also details numerous other bug fixes and feature enhancements in the 2.5 update. The vulnerabilities are rated with moderate severity by Red Hat Product Security.

The path traversal and path injection vulnerabilities could allow an attacker to access or manipulate files on the system by exploiting improper input validation in the affected components. This could lead to unauthorized disclosure or modification of files within the context of the Ansible Automation Platform environment. The overall security impact is rated as moderate by Red Hat. There are no known exploits in the wild at the time of this advisory.

Red Hat has released updated packages for Red Hat Ansible Automation Platform 2.5 that address these vulnerabilities. Users should apply the official security update RHSA-2025:14686 to remediate the issues. The advisory includes updated versions of automation-controller (4.6.19), python3.11-django (4.2.23), and other related components. Applying these updates is the recommended and supported mitigation. Patch status is confirmed by the vendor advisory. No additional mitigation steps are indicated beyond applying the official update.