CVE-2025-48069: 
Ruby vulnerability analysis and mitigation

CVE-2025-48069 affects ejson2env, a tool that allows users to decrypt EJSON secrets and export them as environment variables. The vulnerability was discovered in versions prior to 2.0.8 and was disclosed on May 21, 2025. The issue relates to inadequate output sanitization when writing to stdout, which could potentially lead to command injection vulnerabilities (GitHub Advisory, NVD).

The vulnerability stems from insufficient sanitization of environment variables during the decryption phase. When the tool writes export statements for environment variables and their values to stdout, malicious content in variable names or values could result in unintended commands being output. The issue has been assigned a CVSS v3.1 score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability, but requiring high attack complexity and privileges (Wiz).

If the output from ejson2env is improperly utilized in further command execution (such as through source $(ejson2env) or eval ejson2env), an attacker with control over .ejson files could potentially execute arbitrary commands on the host system (GitHub Advisory, Wiz).

The vulnerability has been patched in version 2.0.8, which implements proper sanitization of output during decryption. For users unable to update immediately, alternative mitigations include avoiding the use of ejson2env to decrypt untrusted user secrets and avoiding evaluating or executing the direct output from ejson2env without removing nonprintable characters (GitHub Advisory, GitHub Commit).