CVE-2025-48069
Description
ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding use of ejson2env to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from ejson2env without removing nonprintable characters.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/Shopify/ejson2env/v2Go | < 2.0.8 | 2.0.8 |
ejson2envRubyGems | < 2.0.8 | 2.0.8 |
github.com/Shopify/ejson2envGo | >= 0 | — |
Affected products
1Patches
278a5842136b5592b3ceea967Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2c47-m757-32g6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48069ghsaADVISORY
- github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840nvdWEB
- github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ejson2env/CVE-2025-48069.ymlghsaWEB
News mentions
0No linked articles in our index yet.