SB20251210209 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20251210209

SB20251210209 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages

Published: December 10, 2025 Updated: January 4, 2026

Security Bulletin ID SB20251210209
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) SQL injection (CVE-ID: CVE-2025-64459)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


2) Input validation error (CVE-ID: CVE-2025-9909)

The vulnerability allows a remote user to create hidden routes within the application.

The vulnerability exists due to insufficient validation of user-supplied input when creating routes. A remote privileged user can create routes starting with a double slash (//), that look very much like legitimate URLs. This can be used to set up a "honey-pot" route to capture and exfiltrate user credentials.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58754)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits within data: URL decode. A remote attacker can cause a denial of service condition on the target system.


4) Reachable assertion (CVE-ID: CVE-2025-59530)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to premature HANDSHAKE_DONE frame. A remote attacker can trigger an assertion in a quic-go client and cause a deial of service condition on the target system.


Remediation

Install update from vendor's website.

References