CVE-2025-23222

Name of the Vulnerable Software and Affected Versions Deepin dde-api-proxy versions 1.0.0 through 1.0.19

Description The issue allows unprivileged users to access D-Bus services as root because dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services. The actual D-Bus services are unaware of the proxy situation and believe that root is requesting actions. As a result, several proxied methods that should not be accessible to non-root users are accessible to them. In situations involving Polkit, the caller is treated as an admin, resulting in a similar escalation of privileges.

Recommendations Deepin dde-api-proxy versions 1.0.0 through 1.0.19: Update to a version that includes the bugfix for the authentication bypass issue, noting that the initial bugfix release may be incomplete and further updates might be necessary.