CVE-2025-23206

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-23206
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22). Once upgraded, users should make sure the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`. There are no known workarounds for this vulnerability.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34 Product
https://github.com/aws/aws-cdk/issues/32920 Issue Tracking
https://github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*
History

19 Sep 2025, 18:45

Type Values Removed Values Added
CPE cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
First Time Amazon aws Cloud Development Kit
Amazon
Summary
  • (es) AWS Cloud Development Kit (AWS CDK) es un software de desarrollo de código abierto framework para definir la infraestructura de la nube en código y aprovisionarla a través de AWS CloudFormation. Los usuarios que usan el paquete de proveedor de recursos personalizado de IAM OIDC descargarán CA Thumbprints como parte del flujo de trabajo de recursos personalizado. Sin embargo, el método `tls.connect` actual siempre establecerá `rejectUnauthorized: false`, lo que es un posible problema de seguridad. CDK debería seguir las mejores prácticas y establecer `rejectUnauthorized: true`. Sin embargo, esto podría ser un cambio radical para las aplicaciones CDK existentes y deberíamos solucionarlo con una marca de función. Tenga en cuenta que esto está marcado como un aviso de seguridad de baja gravedad porque la URL del emisor la proporcionan los usuarios de CDK que definen la aplicación CDK. Si insisten en conectarse a un proveedor de OIDC no autorizado, CDK no debería prohibirlo. Además, el bloque de código se ejecuta en un entorno Lambda que mitiga el ataque MITM. El parche está en proceso. Para mitigar este problema, actualice a CDK v2.177.0 (fecha de lanzamiento prevista: 22/02/2025). Una vez actualizado, los usuarios deben asegurarse de que la marca de función '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' esté configurada como verdadera en `cdk.context.json` o `cdk.json`. No se conocen workarounds para esta vulnerabilidad.
References () https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34 - () https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34 - Product
References () https://github.com/aws/aws-cdk/issues/32920 - () https://github.com/aws/aws-cdk/issues/32920 - Issue Tracking
References () https://github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73 - () https://github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73 - Vendor Advisory

17 Jan 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-17 21:15

Updated : 2025-09-19 18:45

NVD link : CVE-2025-23206

Mitre link : CVE-2025-23206

CVE.ORG link : CVE-2025-23206

JSON object : View

Products Affected

amazon

  • aws_cloud_development_kit
CWE
CWE-347

Improper Verification of Cryptographic Signature