Nixpkgs security tracker

Untriaged

Permalink CVE-2025-9907

6.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Event-driven-ansible: event stream test mode exposes sensitive headers in aap eda

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The possible outcome includes leakage of internal infrastructure details, accidental disclosure of user or system credentials, privilege escalation if high-value tokens are exposed, and persistent sensitive data exposure to all users with read access on the event stream.

References

RHSA-2025:19201 vendor-advisoryx_refsource_REDHAT
RHSA-2025:19221 vendor-advisoryx_refsource_REDHAT
RHSA-2025:23069 vendor-advisoryx_refsource_REDHAT
RHSA-2025:23131 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2025-9907 vdb-entryx_refsource_REDHAT
RHBZ#2392834 issue-trackingx_refsource_REDHAT

Affected products

bindep

molecule

ansible-lint

ansible-sign

automation-hub

ansible-builder

ansible-creator

ansible-dev-tools

ansible-navigator

python3.11-django

python3.11-pluggy

python3.11-pytest

python3.11-distlib

python3.11-execnet

python3.11-gunicorn

python3.11-galaxy-ng

python3.11-tox-ansible

ansible-dev-environment

python3.11-pytest-xdist

automation-eda-controller

python3.11-ansible-compat

python3.11-pytest-ansible

python3.11-subprocess-tee

python3.11-galaxy-importer

python3.11-ruamel-yaml-clib

python3.11-typing-extensions

ansible-automation-platform-25/eda-controller-rhel8

ansible-automation-platform-26/eda-controller-rhel9

Matching in nixpkgs

pkgs.molecule

Molecule aids in the development and testing of Ansible roles

nixos-unstable 25.12.0
- nixpkgs-unstable 25.12.0
- nixos-unstable-small 25.12.0
nixos-25.11 25.11.1
- nixos-25.11-small 25.11.1
- nixpkgs-25.11-darwin 25.11.1

pkgs.ansible-lint

Best practices checker for Ansible

nixos-unstable 25.8.2
- nixpkgs-unstable 25.8.2
- nixos-unstable-small 25.8.2
nixos-25.11 25.8.2
- nixos-25.11-small 25.8.2
- nixpkgs-25.11-darwin 25.8.2

pkgs.ansible-builder

Ansible execution environment builder

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.ansible-navigator

Text-based user interface (TUI) for Ansible

nixos-unstable 25.12.0
- nixpkgs-unstable 25.12.0
- nixos-unstable-small 25.12.0
nixos-25.11 25.11.0
- nixos-25.11-small 25.11.0
- nixpkgs-25.11-darwin 25.11.0

pkgs.python312Packages.bindep

Bindep is a tool for checking the presence of binary packages needed to use an application / library

nixos-25.11 2.13.0
- nixos-25.11-small 2.13.0
- nixpkgs-25.11-darwin 2.13.0

pkgs.python313Packages.bindep

Bindep is a tool for checking the presence of binary packages needed to use an application / library

nixos-unstable 2.13.0
- nixpkgs-unstable 2.13.0
- nixos-unstable-small 2.13.0
nixos-25.11 2.13.0
- nixos-25.11-small 2.13.0
- nixpkgs-25.11-darwin 2.13.0

pkgs.python314Packages.bindep

Bindep is a tool for checking the presence of binary packages needed to use an application / library

nixos-unstable 2.13.0
- nixpkgs-unstable 2.13.0
- nixos-unstable-small 2.13.0

pkgs.python312Packages.molecule

Molecule aids in the development and testing of Ansible roles

nixos-25.11 25.11.1
- nixos-25.11-small 25.11.1
- nixpkgs-25.11-darwin 25.11.1

pkgs.python313Packages.molecule

Molecule aids in the development and testing of Ansible roles

nixos-unstable 25.12.0
- nixpkgs-unstable 25.12.0
- nixos-unstable-small 25.12.0
nixos-25.11 25.11.1
- nixos-25.11-small 25.11.1
- nixpkgs-25.11-darwin 25.11.1