CVE-2025-5988

Vulnerability

Overview

A flaw was found in the Ansible Automation Platform Gateway (aap-gateway) where cross-site request forgery (CSRF) origin checking is not performed on requests from the gateway to external components such as the controller, hub, and eda [1][3]. This means that the gateway does not validate the Origin header in requests forwarded to these external services, leaving them open to potential CSRF attacks [3].

Exploitation

Prerequisites

For exploitation, TLS edge termination must be configured prior to a request being passed into the gateway, as referer checking is used in place of origin checking for HTTPS requests [3]. Additionally, an attacker would need to obtain a valid CSRF form token associated with the victim's CSRF cookie [3]. This could be accomplished by making a cross-origin request to the platform via JavaScript while using the victim's cookies (though modern browsers typically block such requests) or by finding another means to derive the token [3]. Despite these requirements, the missing check increases the attack surface for cross-origin request forgery.

Impact

An attacker who successfully crafts a CSRF attack could perform actions on external components (controller, hub, eda) on behalf of an authenticated user without their knowledge. This could lead to unauthorized changes to automation configurations, credentials, or other sensitive operations managed by those components.

Mitigation

Red Hat has released an advisory (RHSA-2025:12772) as part of Ansible Automation Platform 2.5, which includes updates that address this vulnerability [1][2]. Users are advised to apply the update as soon as possible. No workarounds are mentioned in the available references.