Description
After completing a build with AWS Serverless Application Model Command Line Interface (SAM CLI) which include symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories. As a result, a user who does not have access to those symlinks outside of the Docker container would now have access via the local workspace. Users should upgrade to version 1.134.0 and ensure any forked or derivative code is patched to incorporate the new fixes. After upgrading, users must re-build their applications using the sam build --use-container to update the symlinks.
References (3)
Core 3
Core References
Various Sources vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-008/
Vendor Advisory third-party-advisory
https://github.com/aws/aws-sam-cli/security/advisories/GHSA-pp64-wj43-xqcr
Release Notes patch
https://github.com/aws/aws-sam-cli/releases/tag/v1.134.0
Scores
CVSS v3
6.5
EPSS
0.0054
EPSS Percentile
41.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-61
Status
published
Products (2)
AWS/AWS Serverless Application Model Command Line Interface
1.9.0 - 1.134.0
pypi/aws-sam-cli
0 - 1.134.0PyPI
Published
Mar 31, 2025
Tracked Since
Feb 18, 2026