Bug 2392834 (CVE-2025-9907) - CVE-2025-9907 event-driven-ansible: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA
Summary: CVE-2025-9907 event-driven-ansible: Event Stream Test Mode Exposes Sensitive ...
Keywords:
Status: NEW
Alias: CVE-2025-9907
Deadline: 2025-10-01
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-03 07:44 UTC by OSIDB Bzimport
Modified: 2025-09-18 14:05 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-03 07:44:11 UTC 
The EDA Event Stream API endpoint (/api/eda/v1/event-streams/<id>/) is exposing all received HTTP headers in the test_headers field when an event stream is in test mode. The core of this vulnerability is that headers sent by the client, such as the Authorization header, are always captured and exposed.

This issue is exacerbated when a user mistakenly posts to an internal API gateway path for the stream (e.g. /api/eda/... instead of /eda-event-streams/...). This action causes sensitive, infrastructure-level headers (e.g., X-Trusted-Proxy) to also be captured and exposed in addition to the client headers.

This behavior is inconsistent with the platform's established security pattern of not exposing credential contents via the API. Not only does it expose them to the user that may own the credential, but the vulnerability exposes these headers persistently to anyone with read access on the event stream (who shouldn't be able to see contents of the credential).
Note You need to log in before you can comment on or make changes to this bug.