CVE-2025-23222

An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don't know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn't be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1229918
https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html
https://www.openwall.com/lists/oss-security/2025/01/24/3

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en Deepin dde-api-proxy hasta la versión 1.0.19 en el que los usuarios sin privilegios pueden acceder a los servicios de D-Bus como root. Específicamente, dde-api-proxy se ejecuta como superusuario y reenvía mensajes de usuarios locales arbitrarios a métodos D-Bus heredados en los servicios D-Bus reales, y los servicios D-Bus reales no conocen la situación del proxy (creen que superusuario les está pidiendo que hagan cosas). En consecuencia, varios métodos proxy, que no deberían ser accesibles para usuarios que no sean root, son accesibles para usuarios que no son superusuarios. En situaciones en las que Polkit está involucrado, el llamador sería tratado como administrador, lo que resultaría en una escalada similar de privilegios.

24 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-24 17:15

Updated : 2026-06-17 08:52

NVD link : CVE-2025-23222

Mitre link : CVE-2025-23222

CVE.ORG link : CVE-2025-23222

JSON object : View

Products Affected

No product.

CWE

CWE-940

Improper Verification of Source of a Communication Channel

{"id": "CVE-2025-23222", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-23222", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2025-01-24T17:40:55.747192Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "affected": [{"source": "cve@mitre.org", "affectedData": [{"vendor": "Deepin", "product": "dde-api-proxy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.19"}], "defaultStatus": "unknown"}]}], "published": "2025-01-24T17:15:15.730", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1229918", "source": "cve@mitre.org"}, {"url": "https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html", "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2025/01/24/3", "source": "cve@mitre.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-940"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don't know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn't be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Deepin dde-api-proxy hasta la versi\u00f3n 1.0.19 en el que los usuarios sin privilegios pueden acceder a los servicios de D-Bus como root. Espec\u00edficamente, dde-api-proxy se ejecuta como superusuario y reenv\u00eda mensajes de usuarios locales arbitrarios a m\u00e9todos D-Bus heredados en los servicios D-Bus reales, y los servicios D-Bus reales no conocen la situaci\u00f3n del proxy (creen que superusuario les est\u00e1 pidiendo que hagan cosas). En consecuencia, varios m\u00e9todos proxy, que no deber\u00edan ser accesibles para usuarios que no sean root, son accesibles para usuarios que no son superusuarios. En situaciones en las que Polkit est\u00e1 involucrado, el llamador ser\u00eda tratado como administrador, lo que resultar\u00eda en una escalada similar de privilegios."}], "lastModified": "2026-06-17T08:52:45.833", "sourceIdentifier": "cve@mitre.org"}