CVE-2025-3048 is a path traversal vulnerability (CWE-22) in AWS Serverless Application Model Command Line Interface (SAM CLI) version 1.9.0. The issue arises during the build process when SAM CLI handles symbolic links (symlinks) included in serverless application projects. Instead of preserving symlinks, the CLI copies the content pointed to by these symlinks into the local workspace cache as regular files or directories. This behavior effectively bypasses access restrictions that would normally prevent users from accessing the symlink targets outside the Docker container environment. Consequently, users who should not have access to certain files or directories referenced by symlinks may gain unauthorized local access to sensitive data. The vulnerability does not require any privileges or authentication and can be triggered by a user performing a build with SAM CLI. The CVSS 4.0 score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction. AWS has addressed this vulnerability in version 1.134.0 by correcting the handling of symlinks during builds. Users must upgrade to this version and rebuild their applications using the 'sam build --use-container' command to ensure symlinks are properly handled and cached securely. This vulnerability also relates to CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor) due to the unintended exposure of file contents. No known exploits are currently reported in the wild. The issue primarily affects developers and organizations using SAM CLI for serverless application development and deployment, especially those relying on symlinks within their projects.

For European organizations, this vulnerability poses a confidentiality risk by potentially exposing sensitive files or directories that were intended to be inaccessible outside the Docker container environment. Organizations using AWS SAM CLI version 1.9.0 in their development pipelines may inadvertently expose proprietary code, configuration files, credentials, or other sensitive data through the local workspace cache. This exposure could lead to intellectual property theft, leakage of sensitive configuration or secrets, and increased risk of lateral movement if attackers gain access to developer machines or build environments. The vulnerability does not directly impact availability or integrity but could facilitate further attacks by revealing sensitive information. Given the widespread adoption of AWS cloud services and serverless architectures in Europe, particularly in countries with strong cloud ecosystems, the risk is material for software development teams and DevOps environments. The requirement for user interaction (running the build) limits remote exploitation but insider threats or compromised developer machines could exploit this flaw. The absence of known exploits in the wild suggests limited immediate risk, but the medium severity rating warrants prompt remediation to prevent potential data exposure.

European organizations should immediately upgrade AWS SAM CLI to version 1.134.0 or later to incorporate the fix for this vulnerability. After upgrading, all serverless applications must be rebuilt using the command 'sam build --use-container' to ensure symlinks are handled correctly and cached securely. Organizations should audit their local workspace caches and build environments for any sensitive data that may have been exposed due to this vulnerability, removing or securing any such files. Implement strict access controls on developer workstations and build environments to limit unauthorized access to cached files. Incorporate security scanning and code review practices to detect improper use of symlinks or inclusion of sensitive files in serverless projects. Educate developers about the risks of symlink handling and ensure build pipelines are updated to use the patched CLI version. Consider isolating build environments using containerization or ephemeral build agents to reduce persistent local caching of sensitive data. Monitor for any unusual access patterns or insider threat indicators related to build environments. Finally, maintain awareness of AWS security advisories for any further updates or related vulnerabilities.