Publication Date: 2025/03/31 08:10 AM PDT
Description
The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) is an open-source CLI tool that helps Lambda developers to build and develop Lambda applications locally on their computers using Docker.
We have identified the following issues within the AWS SAM CLI. A fix has been released and we recommend users upgrade to the latest version to address these issues. Additionally, users should ensure any forked or derivative code is patched to incorporate the new fixes.
- CVE-2025-3047: When running the AWS SAM CLI build process with Docker and symlinks are included in the build files, the container environment allows a user to access privileged files on the host by leveraging the elevated permissions granted to the tool. A user could leverage the elevated permissions to access restricted files via symlinks and copy them to a more permissive location on the container. This issue affects AWS SAM CLI <= v1.132.0 and has been resolved in v1.133.0. To retain the previous behavior after upgrading and allow symlinks to resolve on the host machine, please use the explicit '--mount-symlinks' parameter.
- CVE-2025-3048: After completing a build with AWS SAM CLI which include symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories. As a result, a user who does not have access to those symlinks outside of the Docker container would now have access via the local workspace. This issue affects AWS SAM CLI <= v1.133.0 and has been resolved in v1.134.0. After upgrading, users must re-build their applications using the sam build --use-container to update the symlinks.
Affected version: <= AWS SAM CLI v1.133.0
Resolution:
CVE-2025-3047 has been addressed in version 1.133.0 and CVE-2025-3048 has been addressed in version 1.134.0. Users should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.
References:
Acknowledgement:
We would like to thank the GitHub Security Lab for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.