How CVE-2025-3048 Works
The vulnerability in AWS SAM CLI (<= v1.133.0) occurs during containerized builds (--use-container). When symlinks are processed, their contents are improperly cached as regular files/directories in the local workspace. Normally, symlinks outside the Docker container should remain restricted, but the flawed caching mechanism exposes them. Attackers with local access can read sensitive files referenced by symlinks, bypassing Docker’s isolation. The fix in v1.134.0 ensures symlinks are handled securely, preventing unintended cache exposure.
DailyCVE Form:
Platform: AWS SAM CLI
Version: <= v1.133.0
Vulnerability: Symlink cache exposure
Severity: Medium
Date: 2025-3048
What Undercode Say:
Analytics:
- Attack Vector: Local access to workspace cache
- Privilege Escalation: No
- Exploit Complexity: Low (requires local access)
Exploit Commands:
1. Check AWS SAM CLI version:
sam --version
2. Identify cached symlinks (pre-patch):
find ~/.aws-sam/cache -type l -ls
Mitigation Commands:
1. Upgrade AWS SAM CLI:
pip install --upgrade aws-sam-cli
2. Rebuild projects securely:
sam build --use-container --clean
3. Audit cache manually:
rm -rf ~/.aws-sam/cache && sam build --use-container
Detection Script (Python):
import os
import subprocess
def check_sam_version():
result = subprocess.run([bash], capture_output=True, text=True)
return "1.133.0" in result.stdout
if check_sam_version():
print("[bash] Vulnerable AWS SAM CLI detected. Upgrade immediately.")
else:
print("[bash] No vulnerable version detected.")
Patch Analysis:
The fix modifies cache handling to:
1. Preserve symlink metadata during builds.
2. Exclude symlink targets from workspace cache.
References:
No additional commentary beyond rules.
References:
Reported By: https://github.com/advisories/GHSA-pp64-wj43-xqcr
Extra Source Hub:
Undercode
