Skip to content

OS Command Injection in job-iteration gem's CsvEnumerator class

Moderate
dv-shop published GHSA-6qjf-g333-pv38 Jul 14, 2025

Package

bundler job-iteration (RubyGems)

Affected versions

<=1.10

Patched versions

1.11

Description

Impact

Arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

Patches

Issue is fixed in versions 1.11.0 and above.

Workarounds

Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling size on enumerators constructed with untrusted CSV filenames.

Severity

Moderate

CVE ID

CVE-2025-53623

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Credits