ADVISORIES

• CVE-2025-53623 (NVD)
• GHSA-6qjf-g333-pv38
• Vendor Advisory

GEM

job-iteration

PATCHED VERSIONS

• >= 1.11

DESCRIPTION

Impact

There is an arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

Patches

Issue is fixed in versions 1.11.0 and above.

Workarounds

Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling size on enumerators constructed with untrusted CSV filenames.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2025-53623
• https://github.com/Shopify/job-iteration/security/advisories/GHSA-6qjf-g333-pv38
• https://github.com/Shopify/job-iteration/pull/595
• https://github.com/Shopify/job-iteration/commit/1a7adfdd041105a5e45e774cadc6b973a292ba55
• https://github.com/Shopify/job-iteration/releases/tag/v1.11.0
• https://github.com/advisories/GHSA-6qjf-g333-pv38