CVE-2025-9039: 
vulnerability analysis and mitigation

CVE-2025-9039 is a security vulnerability identified in the Amazon ECS (Elastic Container Service) agent, discovered and disclosed on August 14, 2025. The vulnerability affects ECS Agent versions 0.0.3 through 1.97.0. The issue involves the introspection server component of the Amazon ECS agent, which provides information about the overall state of the Amazon ECS agent and container instances (AWS Bulletin).

The vulnerability allows the introspection server to be accessed off-host by another instance under specific conditions. This can occur when instances are in the same security group or if their security groups allow incoming connections to the introspection server port (51678). The vulnerability has received a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and required privileges (GitHub Advisory).

The vulnerability could lead to information disclosure, allowing unauthorized access to the introspection API that provides information about the overall state of the Amazon ECS agent and the container instances. The impact is limited to instances where the option to allow off-host access to the introspection server is set to 'true' (AWS Bulletin).

The vulnerability has been patched in ECS Agent version 1.97.1. AWS recommends upgrading to the latest version and ensuring any forked or derivative code is patched accordingly. For customers who cannot update to the latest AMI, a workaround is available by modifying the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678) (AWS Bulletin).