ghsa-wm7x-ww72-r77q
Vulnerability from github
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. Amazon ECS container agent provides an introspection API that provides information about the overall state of the Amazon ECS agent and the container instances.
We identified CVE-2025-9039, an issue in the Amazon ECS agent.
Impact Under certain conditions, this issue could allow an introspection server to be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to 'false'.
Impacted versions: version 0.0.3 through 1.97.0
Patches This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds Customers who cannot update to the latest AMI can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678).
References If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.97.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/aws/amazon-ecs-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.3"
},
{
"fixed": "1.97.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-9039"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-277"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-14T18:30:08Z",
"nvd_published_at": "2025-08-14T17:15:42Z",
"severity": "MODERATE"
},
"details": "**Summary**\n[Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. Amazon ECS container agent provides an [introspection API](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/introspection-diag.html) that provides information about the overall state of the Amazon ECS agent and the container instances. \n\nWe identified CVE-2025-9039, an issue in the Amazon ECS agent.\n\n**Impact**\nUnder certain conditions, this issue could allow an introspection server to be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to \u0027false\u0027. \n\nImpacted versions: version 0.0.3 through 1.97.0\n\n**Patches**\nThis issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. \n\n**Workarounds**\nCustomers who cannot update to the latest AMI can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678). \n\n**References**\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-wm7x-ww72-r77q",
"modified": "2025-08-14T19:37:34Z",
"published": "2025-08-14T18:30:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-wm7x-ww72-r77q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9039"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-018"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/amazon-ecs-agent"
},
{
"type": "WEB",
"url": "https://github.com/aws/amazon-ecs-agent/releases/tag/v1.97.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Information Disclosure in Amazon ECS Container Agent"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.