SCA: security update for ejson2env, github.com/Shopify/ejson2env/v2 (GHSA-2c47-m757-32g6)

medium Tenable Cloud Security Plugin ID 434750

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version
2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the
tool is intended to write an export statement for environment variables and their values. However, due to
inadequate output sanitization, there is a potential risk where variable names or values may include
malicious content, resulting in additional unintended commands being output to `stdout`. If this output is
improperly utilized in further command execution, it could lead to command injection, allowing an attacker
to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other
mitigations involve avoiding use of `ejson2env` to decrypt untrusted user secrets and/or avoiding
evaluating or executing the direct output from `ejson2env` without removing nonprintable characters.
(CVE-2025-48069)

See Also

https://github.com/advisories/GHSA-2c47-m757-32g6

Plugin Details

Severity: Medium

ID: 434750

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-48069

CVSS v3

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/21/2025

Vulnerability Publication Date: 5/21/2025

Reference Information

CVE: CVE-2025-48069

cwe: CWE-78