CVE-2025-1801 Overview
CVE-2025-1801 is a race condition vulnerability in the Ansible Automation Platform (AAP) gateway. Concurrent requests handled by the gateway gRPC service trigger concurrency issues against the proxy. The flaw allows a less privileged authenticated user to obtain the JSON Web Token (JWT) of a higher privileged user. Successful exploitation jeopardizes the server, exposes user sessions, and leaks confidential data. Red Hat published security errata RHSA-2025:1954 to address the issue. The weakness is tracked under CWE-362 for concurrent execution using shared resources with improper synchronization.
Critical Impact
A low-privileged user can hijack a high-privileged user's JWT through a race condition in the gRPC proxy, leading to full account takeover and unauthorized access to confidential data.
Affected Products
- Red Hat Ansible Automation Platform (aap-gateway component)
- Ansible Automation Platform Gateway gRPC service
- Deployments using the Ansible aap-gateway proxy for authentication
Discovery Timeline
- 2025-03-03 - CVE-2025-1801 published to the National Vulnerability Database
- 2025-03-03 - Red Hat releases security errata RHSA-2025:1954
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-1801
Vulnerability Analysis
The vulnerability resides in the Ansible aap-gateway gRPC service, which acts as an authentication and routing proxy for Ansible Automation Platform components. When the gateway processes concurrent requests, a race condition occurs in the JWT issuance and proxy handling logic. Two requests arriving simultaneously can interleave session state. As a result, the gateway returns a JWT minted for a different user than the one that authenticated.
An authenticated attacker with low privileges can repeatedly issue parallel requests while a privileged user is active. Winning the race causes the proxy to return that privileged user's JWT to the attacker. The attacker then uses that token to authenticate as the higher privileged account.
Root Cause
The root cause is improper synchronization of shared state during concurrent gRPC request handling, classified as [CWE-362]. Session and token context are not bound atomically to the originating request before the proxy returns its response. Concurrent execution allows one request to read or receive state produced for another.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. The attacker authenticates with a valid low-privilege account, then floods the gateway gRPC endpoint with concurrent requests to trigger the race window. No code example is published; the exploitation pattern relies on timing rather than payload content. Refer to the Red Hat CVE Details and Red Hat Bug Report #2349081 for vendor-confirmed technical details.
Detection Methods for CVE-2025-1801
Indicators of Compromise
- High volumes of concurrent or parallel gRPC requests from a single authenticated user to the aap-gateway service.
- JWTs issued for one user being presented from a source IP or session associated with a different account.
- Unexpected privilege escalation events in Ansible Automation Platform audit logs without a corresponding administrative action.
- API calls executed by accounts that have no prior history of accessing those resources.
Detection Strategies
- Correlate JWT sub claims against the authenticating session and source IP, and alert on mismatches.
- Monitor gateway gRPC request rates per user and flag bursts that exceed normal interactive patterns.
- Review audit logs in Ansible Automation Platform for privileged actions performed shortly after a low-privileged login.
Monitoring Recommendations
- Enable verbose authentication and proxy logging on the aap-gateway and forward logs to a centralized SIEM.
- Track token issuance events and tie them to request identifiers to detect cross-user token leakage.
- Alert on simultaneous active sessions for the same JWT originating from different source addresses.
How to Mitigate CVE-2025-1801
Immediate Actions Required
- Apply the updates published in RHSA-2025:1954 to all Ansible Automation Platform gateway instances.
- Rotate JWT signing keys and invalidate existing tokens after patching to revoke any tokens that may have been hijacked.
- Audit user activity and privileged actions performed since the gateway was deployed to identify suspicious escalations.
- Restrict network access to the aap-gateway gRPC service to trusted management networks where feasible.
Patch Information
Red Hat addressed CVE-2025-1801 in the security errata RHSA-2025:1954. Administrators should upgrade the aap-gateway package to the fixed version delivered through Red Hat repositories. Review the Red Hat CVE Details page for the complete list of fixed package versions and supported channels.
Workarounds
- Reduce concurrency to the gateway by rate-limiting authenticated users at the load balancer until patches are applied.
- Restrict low-privileged accounts from accessing the gateway API surface where business requirements allow.
- Require short-lived JWT lifetimes and enforce reauthentication to limit the window of token reuse.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

