Karl.Fail

Tag: score:9.5

  • CVE-2025-4318: Critical Eval Injection Vulnerability in AWS Amplify Studio

    Overview

    On May 5, 2025, a critical vulnerability identified as CVE-2025-4318 was disclosed in AWS Amplify Studio, specifically within the aws-amplify/amplify-codegen-ui package. This flaw affects versions prior to 2.20.3 and has been categorized as a severe security risk due to improper input validation in UI component property expressions. It allows the injection and execution of arbitrary JavaScript code during component rendering and build processes.

    Technical Details

    This vulnerability is rooted in CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection. This means the application evaluates user-supplied inputs using functions like eval() without proper validation or sanitization, enabling attackers to execute malicious code.

    In this case, any authenticated user with permissions to create or modify components in Amplify Studio can exploit this flaw by injecting JavaScript into component properties. This code would then execute during UI component generation, leading to potentially full compromise of application data and behavior.

    CVSS Score and Severity

    Using the CVSS 4.0 standard, this vulnerability has been assigned a base score of 9.5, indicating critical severity. The associated vector string is:

    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

    This scoring reflects that the attack is possible over a network, requires low complexity and no user interaction or privileges, and results in high impact across confidentiality, integrity, and availability.

    Potential Impacts

    The identified CAPEC categories related to this vulnerability are:

    • CAPEC-592: Stored XSS – Malicious scripts persist in the system and execute when rendered to users.
    • CAPEC-251: Local Code Inclusion – Executing unauthorized local code on the server or build system.

    These vectors signify the exploit’s ability to compromise both user data and application logic.

    Affected Products

    The vulnerability impacts the amplify-codegen-ui package used by Amazon Amplify Studio, affecting all versions before 2.20.3. Users of earlier versions are strongly advised to upgrade immediately to mitigate risk.

    Mitigation

    Amazon has addressed this vulnerability in version 2.20.3 of the package. Developers and system administrators should:

    • Upgrade to the latest version of amplify-codegen-ui.
    • Audit existing components for unsafe JavaScript injection patterns.
    • Implement stricter access control to prevent unauthorized component modifications.

    Conclusion

    CVE-2025-4318 represents a critical security issue in a widely-used AWS development tool. Due to its severity and the potential for full application compromise, all users of Amplify Studio must prioritize patching and review access policies. This incident also underscores the need for robust input validation practices, particularly in dynamic code execution contexts.

    For more information, refer to the official Amazon security bulletin: AWS-2025-010.

  • Critical Cryptographic Weakness in WPS Office Enables Update Hijacking (CVE-2025-2516)

    Overview

    A critical vulnerability, identified as CVE-2025-2516, has been found in WPS Office for Windows by Kingsoft. The flaw stems from the use of a weak cryptographic key pair in the software’s signature verification process, which may allow attackers to sign malicious components as legitimate. This issue is further compounded by older WPS Office versions failing to validate the update server’s certificate, making it vulnerable to Adversary-In-The-Middle (AITM) attacks.

    Technical Details

    This vulnerability involves inadequate encryption strength, formally classified as CWE-326. The weak cryptographic key used for signature verification could be recovered through brute-force techniques. Once the private key is obtained, an attacker can generate valid-looking signed components and inject them into the software update mechanism.

    Older versions of WPS Office exacerbated this risk by not verifying the identity of the update server. This allowed attackers in a man-in-the-middle position to redirect users to malicious updates, fully compromising affected systems.

    CVSS and Severity

    Using the CVSS v4.0 scoring system, the vulnerability has been rated as Critical with a base score of 9.5. The vector string is:

    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber

    This reflects:

    • Attack is network-based
    • No privileges or user interaction required
    • High impact on confidentiality, integrity, and availability
    • High complexity due to key recovery requirement

    Attack Patterns

    The vulnerability aligns with several attack patterns:

    Real-World Exploitation

    This vulnerability has already been weaponized by a threat actor, underlining its severity and the urgency for remediation.

    Mitigation

    Users are advised to update WPS Office to the latest secure version and ensure that update processes validate server certificates. Organizations should also monitor for signs of tampered updates and verify the authenticity of software components.

    Further Information

    More insights are available in the detailed research by ESET: WeLiveSecurity Report.

    Conclusion

    CVE-2025-2516 is a reminder of the critical role cryptographic strength and secure update channels play in software integrity. Organizations should treat this vulnerability as high priority and respond accordingly to prevent potential exploitation.