SB2026012865 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012865

SB2026012865 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages

Published: January 28, 2026

Security Bulletin ID SB2026012865
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-66471)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Improper handling of highly compressed data (CVE-ID: CVE-2025-69223)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the application does not properly handle highly compressed data within the auto_decompress feature. A remote attacker can send a specially crafted compressed HTTP request to the server and consume all available memory resources. 


3) Resource management error (CVE-ID: CVE-2025-64460)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the django.core.serializers.xml_serializer.getInnerText() function of XML Deserializer when handling XML data. A remote attacker can pass specially crafted XML input to the application and perform a denial of service (DoS) attack.


4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-53643)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to not parsing trailer sections of an HTTP request. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


5) Resource exhaustion (CVE-ID: CVE-2025-61729)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the HostnameError.Error() function in crypto/x509 when printing error string for host certificate validation. A remote attacker can supply a specially crafted certificate to the application and trigger resource exhaustion, leading to a denial of service condition. 


Remediation

Install update from vendor's website.

References