Language Servers for AWS are susceptible to an arbitrary file write vulnerability that could allow an attacker to escape the workspace boundary and modify system files.

The vulnerability stems from a failure to properly validate symbolic links. An attacker could exploit this to perform arbitrary file writes outside the designated workspace, potentially leading to unauthorized code execution or system configuration changes.

This vulnerability poses a severe risk to development environments. With a CVSS score of 7.8, the ability to write files outside of a trust boundary can be leveraged to gain elevated privileges or inject malicious code into the development pipeline, potentially resulting in downstream supply chain compromise.

Immediate Action: Apply the vendor-provided patch immediately to address the symlink validation logic.

Proactive Monitoring: Monitor for unusual file system activity, specifically writes occurring in directories outside of the defined project workspace.

Compensating Controls: Run the development environment with the principle of least privilege, ensuring the process has minimal write access to the underlying host operating system.

Public Exploit Available: false

Arbitrary file write vulnerabilities in developer tooling are dangerous as they can lead to full system compromise of build servers. We strongly advise updating the affected AWS Language Servers immediately to mitigate the risk of unauthorized workspace escape and subsequent system manipulation.