Skyvern - RCE (CVE-2025-49619)

CVE-2025-49619 is a server-side template injection (SSTI) vulnerability in Skyvern through version 0.1.85, affecting workflow blocks like the Navigation v2 Block. Due to improper sanitization of Jinja2 template input, authenticated users can inject malicious expressions into the Prompt field, resulting in blind remote code execution on the server. This flaw could allow attackers to execute arbitrary commands and potentially compromise sensitive data or system integrity.

CrowdSec has been tracking this vulnerability and its exploits since 17th of September 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2025-49619 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-49619. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the Skyvern Workflow Editor by sending crafted POST requests to /api/v1/workflows with malicious Jinja2 template payloads in the prompt field, enabling remote code execution when the workflow is rendered. These attacks require a valid API key and typically target authenticated endpoints related to workflow creation and execution.