CVE-2025-3048: 
Python vulnerability analysis and mitigation

The AWS Serverless Application Model Command Line Interface (AWS SAM CLI) contains a vulnerability identified as CVE-2025-3048. The issue was discovered in versions <= v1.133.0 and has been patched in version 1.134.0. When completing a build with AWS SAM CLI that includes symlinks, the content of those symlinks are copied to the cache of the local workspace as regular files or directories, allowing unauthorized access to symlinked content via the local workspace (AWS Bulletin, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue stems from improper handling of symlinks during the build process, where the AWS SAM CLI copies symlinked content to the local workspace cache without proper access control verification. This is categorized under CWE-22 (Path Traversal) and CWE-497 (Exposure of Sensitive System Information) (GitHub Advisory, Security Lab).

The vulnerability's impact is limited to the local workspace and does not affect AWS services, production environments, or cross-account resources. However, it could allow users to access content of symlinked files in the SAM CLI cache that they would not normally have access to outside of the Docker container (GitHub Advisory).

Users should upgrade to AWS SAM CLI version 1.134.0 or newer to address this vulnerability. After upgrading, it is crucial to re-build applications using the 'sam build --use-container' command to update the symlinks. There are no recommended workarounds, and users should ensure any forked or derivative code is patched to incorporate the new fixes (AWS Bulletin).

The GitHub Security Lab, through Kevin Backhouse, collaborated with AWS on this issue through the coordinated vulnerability disclosure process. AWS has acknowledged and addressed the vulnerability promptly by releasing a patch (Security Lab).