SB2025121832 - Multiple vulnerabilities in Red Hat OpenShift AI (RHOAI)
Published: December 18, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2025-12060)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error in keras.utils.get_file API when used with the extract=True option for tar archives. A remote user can supply a malicious .tar archive containing special symlinks, which, when extracted, allows them to write arbitrary files to any location on the filesystem outside of the intended destination folder.
2) Input validation error (CVE-ID: CVE-2025-47913)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling SSH_AGENT_SUCCESS responses in ssh agent. A malicious server can send a specially crafted response to the ssh client and crash it.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2025-49655)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data while parsing external modules. A remote attacker can trick the victim into loading a malicious module and execute arbitrary code on the target system.
4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-53643)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to not parsing trailer sections of an HTTP request. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
5) Buffer overflow (CVE-ID: CVE-2025-62164)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Completions API endpoint when processing user-supplied prompt embeddings. A remote user can send specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Improper authentication (CVE-ID: CVE-2025-62593)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper authentication implemented on "/api/jobs" and "/api/job_agent/jobs/" endpoints. A remote attacker can trick the victim into visiting a malicious website and force the victim's browser into sending a crafted payload to the affected endpoints available at the developer's machine, resulting in remote code execution.
7) Infinite loop (CVE-ID: CVE-2025-62727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic and cause denial of service conditions.
8) OS Command Injection (CVE-ID: CVE-2025-64756)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Insecure dfefault initialization of resource (CVE-ID: CVE-2025-66416)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to software does not enable DNS rebinding protection by default for HTTP-based servers. A remote attacker can trick the victim into visiting a malicious website and to bypass same-origin policy restrictions by exploiting DNS rebinding and initiate requests to the local MCP server.
Successful exploitation of the vulnerability requires that an HTTP-based MCP server is running on the localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings.
10) Improper Control of Dynamically-Managed Code Resources (CVE-ID: CVE-2025-9905)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the Model.load_model() method. A remote attacker can trick the victim into loading a crafted .h5/.hdf5 model archive and execute arbitrary code on the system.
11) Deserialization of Untrusted Data (CVE-ID: CVE-2025-9906)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data even when "safe_mode" is enabled. A remote attacker can trick the victim into loading a specially crafted Keras v3 model and execute arbitrary code on the system.
This vulnerability exists due to an incomplete fix for #VU106013 (CVE-2025-1550) and #VU120185 (CVE-2025-8747).
Remediation
Install update from vendor's website.