This advisory covers two security vulnerabilities in Red Hat Ansible Automation Platform 2.5: CVE-2025-59343, a symlink validation bypass in automation-gateway's tar-fs component, and CVE-2025-59682, a potential partial directory-traversal vulnerability in python3.11-django's archive.extract() function. Both vulnerabilities relate to improper handling of archive extraction, potentially allowing attackers to write files outside intended directories. Red Hat has released updated packages for automation-gateway, python3.11-django-ansible-base, and related components to address these issues. The advisory also includes various other bug fixes and feature improvements. The update is classified as important by Red Hat Product Security. No CVSS scores are provided in the advisory, and no known exploits have been observed in the wild.

The vulnerabilities could allow an attacker to bypass symlink validation or perform partial directory traversal during archive extraction, potentially leading to unauthorized file writes or overwrites outside the intended extraction directory. This could result in unauthorized modification of files or system compromise depending on the context of exploitation. The advisory rates the security impact as important (high severity). No known exploits in the wild have been reported at this time.

Red Hat has released updated packages for Red Hat Ansible Automation Platform 2.5 that address these vulnerabilities. Users should apply the provided security update (RHSA-2025:18979) to upgrade automation-gateway, python3.11-django-ansible-base, and related components to the fixed versions. Applying this update will remediate the symlink validation bypass and directory traversal issues. No additional mitigation steps are indicated by the vendor advisory.