CVE-2025-53623 Overview
CVE-2025-53623 is a command injection vulnerability in the Shopify job-iteration Ruby gem, an extension to ActiveJob that makes jobs interruptible and resumable. Versions prior to 1.11.0 pass unsanitized file paths into a shell command through the CsvEnumerator class. An attacker who can influence the CSV filename argument can execute arbitrary operating system commands in the context of the application process. The flaw is tracked as [CWE-78] OS Command Injection and is fixed in version 1.11.0.
Critical Impact
Successful exploitation grants arbitrary command execution on the host, enabling unauthorized access, data exfiltration, or full system compromise.
Affected Products
- Shopify job-iteration gem versions prior to 1.11.0
- Ruby on Rails applications using CsvEnumerator with untrusted filenames
- Background job workers invoking count_of_rows_in_file on attacker-controlled CSV paths
Discovery Timeline
- 2025-07-14 - CVE-2025-53623 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-53623
Vulnerability Analysis
The CsvEnumerator class in job-iteration counts rows in a CSV file to support resumable iteration. In vulnerable versions, the row count is computed by shelling out to the Unix wc utility with the filename interpolated directly into the command string. Ruby's %x() syntax executes the resulting string through a shell, so any shell metacharacters present in the filename are interpreted by the shell rather than treated as part of a literal path.
When an application accepts a filename from user input, an HTTP parameter, a database record, or another untrusted channel, an attacker can craft a value that breaks out of the intended argument and runs arbitrary commands. Code execution occurs with the privileges of the worker process, which typically has access to application secrets, database credentials, and cloud metadata services.
Root Cause
The root cause is unsafe shell command construction in lib/job-iteration/csv_enumerator.rb. The count_of_rows_in_file method interpolated the filepath variable into a backtick command without escaping or quoting. The fix replaces the shell invocation with a pure-Ruby implementation using File.foreach(filepath).count, eliminating the shell entirely.
Attack Vector
Exploitation requires that an application pass an attacker-controlled string as the CSV file path to CsvEnumerator.new(...).count_of_rows_in_file or any code path that invokes it. The attack is network-reachable when the filename originates from an HTTP request, job arguments, or stored data influenced by external users.
# Behaviour of CSV#path changed in Ruby 2.6.3 (returns nil instead of raising NoMethodError)
return unless filepath
- count = %x(wc -l < #{filepath}).strip.to_i
+ count = File.foreach(filepath).count
count -= 1 if @csv.headers
count
end
Source: GitHub Commit 1a7adfd. The patch removes the %x() shell invocation and replaces it with a safe file-iteration count.
Detection Methods for CVE-2025-53623
Indicators of Compromise
- Unexpected child processes spawned by Ruby worker processes, particularly sh, wc, bash, curl, or wget invocations from ActiveJob workers.
- Outbound network connections from job worker hosts to unfamiliar IPs immediately after CSV processing jobs run.
- Job arguments or audit logs containing shell metacharacters such as ;, |, `, $(, or && in fields representing file paths.
Detection Strategies
- Inventory dependencies for job-iteration versions below 1.11.0 by parsing Gemfile.lock across repositories and deployed application bundles.
- Add static analysis rules to flag direct or indirect use of CsvEnumerator with non-literal filepath arguments.
- Hunt process telemetry for Ruby processes executing wc -l with filenames containing shell metacharacters.
Monitoring Recommendations
- Alert on shell child processes spawned by application server users (for example puma, sidekiq, resque) that do not normally invoke shells.
- Forward background job logs and process execution events to a centralized analytics platform for correlation against deployment versions.
- Baseline expected CSV processing patterns and alert on deviations such as new outbound connections during job execution.
How to Mitigate CVE-2025-53623
Immediate Actions Required
- Upgrade job-iteration to 1.11.0 or later in all applications and rebuild deployment artifacts.
- Audit application code for callers of CsvEnumerator and count_of_rows_in_file that accept untrusted filenames.
- Rotate credentials and inspect logs on hosts where vulnerable versions processed externally supplied CSV paths.
Patch Information
The vulnerability is fixed in job-iteration v1.11.0 via pull request #595. Full technical details are available in the GitHub Security Advisory GHSA-6qjf-g333-pv38. Update the gem in Gemfile and run bundle update job-iteration.
Workarounds
- Avoid passing untrusted input to the CsvEnumerator class until the patched version is deployed.
- Validate and sanitize CSV file paths against an allowlist of expected directories and filename patterns before invoking enumerator methods.
- Do not call count_of_rows_in_file with filenames derived from user input, external systems, or unverified storage.
# Configuration example: pin the patched version in Gemfile
# Gemfile
gem 'job-iteration', '>= 1.11.0'
# Then update and verify
bundle update job-iteration
bundle list | grep job-iteration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
