CVE-2025-49619: 
Python vulnerability analysis and mitigation

CVE-2025-49619 is a server-side template injection (SSTI) vulnerability discovered in Skyvern through version 0.1.85. The vulnerability was discovered on June 2nd, 2025, and was assigned a CVE on June 7th, 2025. It affects both local and cloud versions of Skyvern, specifically in the workflow edit mode where authenticated users can inject Jinja2 expressions into the Prompt field of workflow blocks such as the Navigation v2 Block (Cristibtz Blog).

The vulnerability stems from unsafe rendering of Jinja2 template expressions in the sdk/workflow/models/block.py file. When users input template expressions in the Prompt field, the application processes these expressions without proper sanitization, allowing for arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N (NVD, Wiz).

The vulnerability allows authenticated users to execute system commands on the underlying server through template injection. If exploited by a malicious tenant or external user, this can lead to full system compromise, data exfiltration, or lateral movement in a multi-tenant setup. The vulnerability affects both local and cloud versions of Skyvern (Cristibtz Blog, Wiz).

The vulnerability has been patched in a fix committed to the Skyvern repository. The fix involves replacing the standard Jinja2 Template with a SandboxedEnvironment implementation to prevent arbitrary code execution. Users should upgrade to versions after 0.1.85. The fix was implemented on June 3rd, 2025 (Github Commit).

The Skyvern maintainers responded quickly to the vulnerability report, demonstrating their commitment to security. They acknowledged the issue and implemented a fix within 24 hours of the initial report (Cristibtz Blog).