CVE-2025-49619: Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks suc
Summary
Skyvern through version 0.1.85 has a vulnerability where attackers can inject malicious code into the Prompt field of workflow blocks through SSTI (server-side template injection, where untrusted input is processed as code by the server's template engine). Authenticated users can craft special expressions in Jinja2 templates (a template system that evaluates code on the server) that aren't properly cleaned up, allowing them to execute commands on the server without direct feedback, a capability known as blind RCE (remote code execution).
Solution / Mitigation
A fix is referenced in the GitHub commit db856cd8433a204c8b45979c70a4da1e119d949d in the Skyvern repository, but the source text does not explicitly describe what the fix does or provide a specific patched version number to upgrade to.
Vulnerability Details
8.5(high)
EPSS: 66.4%
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-49619
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 92%