Critical Vulnerability Discovered in Deepin D-Bus Proxy Service
/ 1 min read
🔑 Critical vulnerability discovered in Deepin desktop environment’s dde-api-proxy service. The security flaw, designated CVE-2025-23222 with a CVSS score of 8.4, allows local users to escalate privileges and perform unauthorized operations due to a design weakness in the service’s authentication mechanisms. The dde-api-proxy, which operates as root, forwards requests from local users without authentication, tricking D-Bus services into believing requests are from a root client. This vulnerability affects various D-Bus interfaces, enabling unprivileged users to invoke privileged methods. Although the Deepin team attempted a fix in version 1.0.19, significant flaws remain, highlighting the need for a more robust solution to address the deeply rooted design issues.
