CVE-2025-0500

HIGH

Amazon - SSRF

Title source: llm

Description

An issue in the native clients for Amazon WorkSpaces (when running Amazon DCV protocol), Amazon AppStream 2.0, and Amazon DCV Clients may allow an attacker to access remote sessions via man-in-the-middle.

References (6)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-001/

[Various Sources] https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-windows-client.html#windows-release-notes

[Various Sources] https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-osx-client.html#osx-release-notes

[Various Sources] https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes

[Various Sources] https://docs.aws.amazon.com/appstream2/latest/developerguide/client-release-versions.html

[Various Sources] https://docs.aws.amazon.com/dcv/latest/adminguide/doc-history-release-notes.html#dcv-2023-1-16388jul

Scores

CVSS v3 7.5

EPSS 0.0029

EPSS Percentile 52.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (7)

Amazon/AppStream 2.0 Client 1.1.1025 - 1.1.1332

Amazon/DCV Client < 2023.1.6703

Amazon/DCV Client 2020.2.2078 - 2023.1.6703

Amazon/DCV Client 2020.2.7459 - 2023.1.9127

Amazon/WorkSpaces Client 2023.0 - 2024.2

Amazon/WorkSpaces Client 5.0.0 - 5.21.0

Amazon/WorkSpaces Client 5.5.0 - 5.21.0

Published Jan 15, 2025

Tracked Since Feb 18, 2026