Wiz
Vulnerability DatabaseCVE-2022-23627

CVE-2022-23627
NixOS vulnerability analysis and mitigation

Overview

ArchiSteamFarm (ASF), a C# application designed for idling Steam cards from multiple accounts simultaneously, was found to contain a security vulnerability (CVE-2022-23627) introduced in version V5.2.2.2. The vulnerability was discovered and disclosed in February 2022, affecting versions between ≥5.2.2.2 and <5.2.2.5, as well as between ≥5.2.3.0 and <5.2.3.2 (GitHub Advisory).

Technical details

The vulnerability stemmed from inadequate verification of effective access when users sent proxy commands (i.e., [Bots] commands). Specifically, when a proxy-like command was sent to bot A targeting bot B, the system incorrectly verified the user's access against bot A instead of the intended target bot B. This implementation flaw allowed potential access to resources beyond the configured permissions (GitHub Advisory). The vulnerability was assigned a CVSS v3.1 base score of 5.0 (Moderate), with metrics indicating Network attack vector, High attack complexity, High privileges required, and No user interaction needed (GitHub Advisory).

Impact

The vulnerability affected the confidentiality of other bot instances within the ASF process. While the impact was significant, it required the attacker to have pre-existing access granted explicitly by the original owner of the ASF process, as they needed to control at least one bot to exploit the inadequate access verification loophole. The majority of users running ASF in single-user scenarios were not directly affected, but those sharing access to their bots or running bots for other people were at risk (GitHub Advisory).

Mitigation and workarounds

The vulnerability was patched in ASF versions V5.2.2.5 and V5.2.3.2. For users unable to upgrade, a recommended workaround was to ensure no other people were configured to access any declared bots, effectively removing the attack vector. Additionally, if users already had access to all bots (owning master permission), there was nothing further to exploit (GitHub Advisory).

Community reactions

The vulnerability was originally reported by TheRhanderson on the ASF Discord server. The issue was subsequently addressed through pull request #2509, which implemented the necessary fixes to the permission verification system (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22783HIGH8.1
  • NixOSNixOS
  • iris
NoYesJan 12, 2026
CVE-2026-0821MEDIUM6.9
  • NixOSNixOS
  • quickjs
NoNoJan 10, 2026
CVE-2025-68949MEDIUM5.3
  • NixOSNixOS
  • n8n
NoYesJan 13, 2026
CVE-2026-22784LOW2.3
  • NixOSNixOS
  • lychee
NoYesJan 12, 2026
CVE-2026-23497LOW1.3
  • NixOSNixOS
  • learning
NoYesJan 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo