Red Hat Ansible Automation Platform 2.5 for RHEL 8 and 9 is affected by multiple security vulnerabilities, notably including CVE-2025-9907 which involves exposure of sensitive internal headers in the Event-Driven Ansible (EDA) event streams when test mode is enabled. Other vulnerabilities fixed include Django SQL injection (CVE-2025-64459), improper path validation in automation-gateway allowing credential exfiltration (CVE-2025-9909), an Axios denial of service due to lack of data size check (CVE-2025-58754), and a receptor crash due to premature handshake frame (CVE-2025-59530). Red Hat has released updated packages for automation-controller, automation-eda-controller, automation-gateway, receptor, and related components as part of the RHSA-2025:23069 advisory. These updates address the security flaws and include additional bug fixes and improvements to the platform. The advisory rates the security impact as Important (high severity) and provides updated versions to remediate the issues.

The vulnerabilities could allow attackers to expose sensitive internal headers, perform SQL injection attacks, exfiltrate credentials due to improper path validation, cause denial of service conditions, or crash components of the platform. These impacts could compromise confidentiality and availability of the affected Ansible Automation Platform deployments. The advisory rates the overall security impact as Important (high severity). There are no reports of known exploits in the wild at this time.

Red Hat has released updated packages for Red Hat Ansible Automation Platform 2.5 for RHEL 8 and 9 that address these vulnerabilities. Users should apply the security update RHSA-2025:23069 promptly to remediate the issues. The vendor advisory and errata page provide the updated package versions and installation instructions. No additional mitigations or workarounds are specified beyond applying the official fixes.