Bug 2392836 (CVE-2025-9909)

Summary: CVE-2025-9909 aap-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dschmidt, erezende, haoli, hkataria, jajackso, jcammara, jlanda, jmitchel, jneedle, kegrant, koliveir, kshier, mabashia, mattdavi, pbraun, security-response-team, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator can configure a honey-pot route to intercept and exfiltrate user credentials, potentially maintaining persistent access or creating a backdoor even after their permissions are revoked.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-10-01   

Description OSIDB Bzimport 2025-09-03 07:57:24 UTC 
Gateway lets an administrator create routes. There is some validation, but they allow routes starting a double slash (//), that look very much like legitimate URLs. This can be used to set up a "honey-pot" route to capture and exfiltrate user credentials.

This is a problem because a malicious admin could use this to create a backdoor to retain access after their permissions are revoked. It could also be exploited by an external attacker who social engineers a legitimate admin, convincing them to add the route for "troubleshooting" or "diagnostics" without the admin knowing what it's really for.

A core issue is that the gateway_path field doesn't properly sanitize its input, allowing these look-alike paths to be created.
Comment 1 errata-xmlrpc 2025-11-19 15:44:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:21768 https://access.redhat.com/errata/RHSA-2025:21768
Comment 2 errata-xmlrpc 2025-12-10 17:40:18 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23069