The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_9986.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update Advisory ID: RHSA-2025:9986-03 Product: Red Hat Ansible Automation Platform Advisory URL: https://access.redhat.com/errata/RHSA-2025:9986 Issue date: 2025-07-01 Revision: 03 CVE Names: CVE-2025-22871 ==================================================================== Summary: An update is now available for Red Hat Ansible Automation Platform 2.5 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Security Fix(es): * automation-eda-controller: Template Injection via Git Branch and Refspec in EDA Projects (CVE-2025-49521) * automation-eda-controller: Authenticated Argument Injection in Git URL in EDA Project Creation (CVE-2025-49520) * automation-gateway-proxy: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871) * automation-gateway-proxy-openssl30: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871) * automation-gateway-proxy-openssl32: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871) * receptor: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Updates and fixes included: Automation Platform * Updated API error messaging to be more helpful in the event a user logs in as the admin user via legacy auth on one component, then tries to do so via the other component (AAP-47541) * Fixed an issue where API records could be missing or duplicated across pages (AAP-47504) * Refactored V1RootView.get() and improve reverse lookup logic (AAP-47366) * Refactored process_statuses() method to reduce its cognitive complexity (AAP-47341) * Improved accuracy of openapi API docs and schema (AAP-46639) * Reduced the cognitive complexity of method migrate_resource() in migrate_service_data.py from 56 to <=15 (AAP-45822) * Reduced the cognitive complexity of the process_fields() method in serializers/preference.py file (AAP-45820) * Reduced the cognitive complexity of unique_fields_for_model() method to below 15 (AAP-45819) * Enable query filtering for fields user_ansible_id, team_ansible_id, and object_ansible_id on the role assignment API endpoints (AAP-45443) * The Survey form is displayed for a Worlflow visualizer Job template or Workflow Job template node with a survey enabled and no Prompt on Launch fields (AAP-47732) * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both \"Prompt on Launch\" and \"Survey\" enabled (AAP-47668) * The API feature flags used to hide references to Policy as Code in the UI have been removed. All Policy as Code fields appear for all users at all times (AAP-47006) * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both \"Prompt on Launch\" and \"Survey\" enabled (AAP-46813) * On the inventory source form, for a source type of 'VMware ESXi' the user will be able to select credentials of type 'VMware vCenter' (AAP-46784) * Fixed a bug when selecting the 'Comparison' field for Atrriibute trigger in the Authenticator Map form (AAP-46555) * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both \"Prompt on Launch\" and \"Survey\" enabled (AAP-45834) * added an extra validation to handle incorrect user input in the variables field, as the API doesn't return an error for it (AAP-42563) * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both \"Prompt on Launch\" and \"Survey\" enabled (AAP-42303) * The Hosts links in the Resource Counts section of the overview page were fixed to redirect to the Hosts page (AAP-42288) * Allows role assignments using object_ansible_id in the role_user_assignment module (AAP-48042) * Improved documentation and examples related to object_id and object_ansible_id parameters in role_user_assignment module (AAP-48041) * Allows object_id field in role_user_assignment module to accept a list of items (AAP-47979) * Fixed an example task in ansible.platform.token module (AAP-47976) * Specify correct aap_* parameters in ansible.platform.token module (AAP-47975) * Improved documentation and examples for authenticator and authenticator_map modules (AAP-45982) * Updated documentation examples for the ansible.platform.settings module with tested tasks examples (AAP-45954) * Added a new section in the collection README describing how to authenticate to AAP from the playbook (AAP-45578) * Ensures that modules in the ansible.platform collection accepts AAP_* variable for authentication (AAP-45363) * Fixed ansible.platform.user not adding users to organizations (AAP-45248) * Allows running ansible.platform collection modules in check_mode (AAP-45246) * Added missing option in the ansible.platform.user module to allow setting the is_platform_auditor flag on a user (AAP-45244) * automation-gateway has been updated to 2.5.20250702 * automation-gateway-proxy has been updated to 2.5.10-2 * automation-gateway-proxy-openssl30 has been updated to 2.6.6-2 * automation-gateway-proxy-openssl32 has been updated to 2.6.6-2 * python3.11-django-ansible-base has been updated to 2.5.20250702 Automation controller * Fixed database deadlock by means of 'awx_callback_receiver_worker' and 'awx_dispatcher_worker' while they attempted to update hosts 'last_job_id' and 'ansible_facts' in two separate commands (AAP-46038) * Fixed race condition where job templates with duplicate names in the same organization could be created (AAP-45968) * Fixed a bug where some credential types were not populated after upgrading. This adds a new migration to accomplish this (AAP-44233) * Updated controller to reduce the number of large amount of jobs queued stuck in waiting status (AAP-44143) * receptor: Handle EOF correctly when pod is ready (AAP-46484) * receptor: removed connections that have cancelled context (AAP-47996) * automation-controller has been updated to 4.6.16 * receptor has been updated to 1.5.7 Automation hub * Any user can search and filter using \"ai\" keywords to find AI related collections (AAP-43138) * automation-hub has been updated to 4.10.5 * python3.11-galaxy-importer has been updated to 0.4.31 * python3.11-galaxy-ng has been updated to 4.10.5 * python3.11-pulp-ansible has been updated to 0.25.1 * python3.11-pulpcore has been updated to 3.49.42 Event-Driven Ansible * Fixed an issue where the activation hangs when gather_facts is set to true in a rulebook, gather_facts is available only when running ansible-rulebook as a CLI (AAP-47846) * Fixed a bug where DE images that use an SHA digest in the URI would fail to pull (AAP-47725) * API REST now supports the edition of the url of the project (AAP-47459) * Added validations to URL, branch/tag/commit, and refspec fields when create or update a project (AAP-47227) * Project resync is now triggered automatically when url/branch/scm_refspec is modified (AAP-46254) * Relevant settings and versions are emitted in logs when the worker starts (AAP-40984) * ansible-rulebook has been updated to 1.1.7 * automation-eda-controller has been updated to 1.1.11 * python3.11-websockets has been updated to 15.0 Container-based Ansible Automation Platform * Fixed an issue with the Redis socket mount point permissions (AAP-48230) * Fixed TLS Certificate Authority (CA) certificate for Receptor mesh configuration when providing TLS certificates not signed by the internal CA (AAP-48065) * Fixed missing user parameter for the sos report command on the log_gathering playbook (AAP-47718) * Validate that nodes are configured with at least 16G of RAM (AAP-47542) * Fixed jquery version in the redirect page (AAP-47074) * containerized installer setup has been updated to 2.5-16 RPM-based Ansible Automation Platform * Fixed issue where redis-platform would not restart on restore (AAP-47689) * Old service nodes are now removed from gateway when the installer runs with a new host or new host names (AAP-47651) * Fixed an issue where restore was failing when a non-default port was used for AAP managed database (AAP-47639) * Fixed an issue where some pages didn't render properly when non-default umask was being used (AAP-47377) * Fixed issue where EDA script was not starting nginx on restart (AAP-46511) * Credentials associated to decision environments will now be updated with the site information defined in the source inventory during restore (AAP-46271) * Receptor certificate tasks will no longer require switching to receptor user (AAP-46189) * Fixed issue where the firewall was not opening event stream ports (AAP-45684) * ansible-automation-platform-installer and installer setup have been updated to 2.5-15 Additional changes: * ansible-creator has been updated to 25.5.0 * ansible-dev-environment has been updated to 25.5.0 * ansible-dev-tools has been updated to 25.5.2 * ansible-lint has been updated to 25.5.0 * ansible-navigator has been updated to 25.5.0 * molecule has been updated to 25.5.0 * python3.11-ansible-compat has been updated to 25.5.0 * python3.11-dispatcherd has been added * python3.11-dynaconf has been updated to 3.2.11 * python3.11-psycopg has been updated to 3.2.7 * python3.11-pytest-ansible has been updated to 25.5.0 * python3.11-tox-ansible has been updated to 25.5.0 Solution: CVEs: CVE-2025-22871 References: https://access.redhat.com/security/updates/classification/#important https://bugzilla.redhat.com/show_bug.cgi?id=2358493 https://bugzilla.redhat.com/show_bug.cgi?id=2370812 https://bugzilla.redhat.com/show_bug.cgi?id=2370817 https://issues.redhat.com/browse/AAP-42288