CVE-2025-3048

MEDIUM

AWS SAM CLI <1.134.0 - Info Disclosure

Title source: llm

Description

After completing a build with AWS Serverless Application Model Command Line Interface (SAM CLI) which include symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories. As a result, a user who does not have access to those symlinks outside of the Docker container would now have access via the local workspace. Users should upgrade to version 1.134.0 and ensure any forked or derivative code is patched to incorporate the new fixes. After upgrading, users must re-build their applications using the sam build --use-container to update the symlinks.

References (3)

[Various Sources] https://aws.amazon.com/security/security-bulletins/AWS-2025-008/

[Vendor Advisory] https://github.com/aws/aws-sam-cli/security/advisories/GHSA-pp64-wj43-xqcr

[Release Notes] https://github.com/aws/aws-sam-cli/releases/tag/v1.134.0

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-61

Status published

Products (2)

AWS/AWS Serverless Application Model Command Line Interface 1.9.0 - 1.134.0

pypi/aws-sam-cli 0 - 1.134.0PyPI

Published Mar 31, 2025

Tracked Since Feb 18, 2026