Bug 2392836 (CVE-2025-9909) - CVE-2025-9909 aap-gateway: Improper Path Validation in Gateway Allows Credential Exfiltration
Summary: CVE-2025-9909 aap-gateway: Improper Path Validation in Gateway Allows Credent...
Keywords:
Status: NEW
Alias: CVE-2025-9909
Deadline: 2025-10-01
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-03 07:57 UTC by OSIDB Bzimport
Modified: 2025-11-19 15:44 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:21768 0 None None None 2025-11-19 15:44:49 UTC

Description OSIDB Bzimport 2025-09-03 07:57:24 UTC 
Gateway lets an administrator create routes. There is some validation, but they allow routes starting a double slash (//), that look very much like legitimate URLs. This can be used to set up a "honey-pot" route to capture and exfiltrate user credentials.

This is a problem because a malicious admin could use this to create a backdoor to retain access after their permissions are revoked. It could also be exploited by an external attacker who social engineers a legitimate admin, convincing them to add the route for "troubleshooting" or "diagnostics" without the admin knowing what it's really for.

A core issue is that the gateway_path field doesn't properly sanitize its input, allowing these look-alike paths to be created.
Comment 1 errata-xmlrpc 2025-11-19 15:44:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:21768 https://access.redhat.com/errata/RHSA-2025:21768
Note You need to log in before you can comment on or make changes to this bug.