cvelistv5 - cve-2025-2598

CVE-2025-2598 (GCVE-0-2025-2598)

Vulnerability from cvelistv5 – Published: 2025-03-21 14:14 – Updated: 2025-10-14 18:38

Summary

When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Severity ?

5.7 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere

Assigner

AMZN

References

URL

Tags

	https://aws.amazon.com/security/security-bulletin…	vendor-advisory
	https://github.com/aws/aws-cdk/security/advisorie…	third-party-advisory
	https://github.com/aws/aws-cdk/releases/tag/v2.178.2	patch

Impacted products

	Vendor	Product	Version
	AWS	Cloud Development Kit Command Line Interface	Affected: 2.172.0 , < 2.178.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-21T15:20:48.330547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-21T15:21:14.276Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud Development Kit Command Line Interface",
          "vendor": "AWS",
          "versions": [
            {
              "lessThan": "2.178.2",
              "status": "affected",
              "version": "2.172.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eWhen the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an \u003ccode\u003eexpiration\u003c/code\u003e property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e"
            }
          ],
          "value": "When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-150",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-150 Collect Data from Common Resource Locations"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-497",
              "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-14T18:38:18.174Z",
        "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "shortName": "AMZN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-005/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/aws/aws-cdk/releases/tag/v2.178.2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "AWS CDK CLI prints AWS credentials retrieved by custom credential plugins",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
    "assignerShortName": "AMZN",
    "cveId": "CVE-2025-2598",
    "datePublished": "2025-03-21T14:14:29.040Z",
    "dateReserved": "2025-03-21T11:48:52.961Z",
    "dateUpdated": "2025-10-14T18:38:18.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-2598\",\"sourceIdentifier\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"published\":\"2025-03-21T15:15:43.120\",\"lastModified\":\"2025-10-14T19:15:39.090\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\"},{\"lang\":\"es\",\"value\":\"Cuando se utiliza la interfaz de l\u00ednea de comandos (CLI) de AWS CDK de AWS Cloud Development Kit (AWS CDK) con un complemento de credenciales que devuelve una propiedad de expiraci\u00f3n con las credenciales de AWS recuperadas, estas se imprimen en la salida de la consola. Para mitigar este problema, los usuarios deben actualizar a la versi\u00f3n 2.178.2 o posterior y asegurarse de que cualquier c\u00f3digo bifurcado o derivado est\u00e9 parcheado para incorporar las nuevas correcciones.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.172.0\",\"versionEndExcluding\":\"2.178.2\",\"matchCriteriaId\":\"D58DAB0A-9735-4832-B092-ECCD20545D1F\"}]}]}],\"references\":[{\"url\":\"https://aws.amazon.com/security/security-bulletins/AWS-2025-005/\",\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/aws/aws-cdk/releases/tag/v2.178.2\",\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\"},{\"url\":\"https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp\",\"source\":\"ff89ba41-3aa1-4d27-914a-91399e9639e5\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-2598\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-21T15:20:48.330547Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-21T15:20:52.582Z\"}}], \"cna\": {\"title\": \"AWS CDK CLI prints AWS credentials retrieved by custom credential plugins\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-150\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-150 Collect Data from Common Resource Locations\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"AWS\", \"product\": \"Cloud Development Kit Command Line Interface\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.172.0\", \"lessThan\": \"2.178.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://aws.amazon.com/security/security-bulletins/AWS-2025-005/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/aws/aws-cdk/releases/tag/v2.178.2\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eWhen the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an \u003ccode\u003eexpiration\u003c/code\u003e property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-497\", \"description\": \"CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"ff89ba41-3aa1-4d27-914a-91399e9639e5\", \"shortName\": \"AMZN\", \"dateUpdated\": \"2025-10-14T18:38:18.174Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-2598\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-14T18:38:18.174Z\", \"dateReserved\": \"2025-03-21T11:48:52.961Z\", \"assignerOrgId\": \"ff89ba41-3aa1-4d27-914a-91399e9639e5\", \"datePublished\": \"2025-03-21T14:14:29.040Z\", \"assignerShortName\": \"AMZN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-V63M-X9R9-8GQP

Vulnerability from github – Published: 2025-03-21 17:43 – Updated: 2025-10-14 21:58

Summary

AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

Details

Summary

The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects.

An issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an expirationproperty in the credentials object are affected by this issue. Plugins that omit the expiration property are not affected.

Impact

When customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an expiration property, the AWS credentials retrieved by the plugin may be returned in the console output. Any user with access where the CDK CLI was ran would have access to this output.

The following are examples of configuring a custom credential plugin:

Via command line option:

cdk deploy --plugin /path/to/plugin

Via configuration file [3]:

{
  "plugin": "/path/to/plugin"
}

Plugins that return an expiration property in the credentials object, such as the following example, are affected:

return {
    accessKeyId: '<access-key>',
    secretAccessKey: '<secret-access-key>',
    sessionToken: '<session-token>',
    expiration: <date>,
};

The expiration property indicates that the provided credentials are temporary.

Please refer to our "AWS CDK CLI Library" guide for more information about custom credential plugins [4].

Impacted versions: >=2.172.0 and <2.178.2

Patches

The issue has been addressed in version 2.178.2 [5]. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

If you are unable to upgrade to version 2.178.2 or later, you can downgrade to version 2.171.1. If you are unable to downgrade, but have access to the code of the credential plugin you use, you can remove the expiration property from the object returned by the plugin.

For example, change the code from returning this:

return {
    accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,
    secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,
    sessionToken: assumeRoleOutput.Credentials.SessionToken,

    // Expiration indicates to the CLI that this is temporary
    expiration: assumeRoleOutput.Credentials.Expiration,
};

To return this:

return {
    accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,
    secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,
    sessionToken: assumeRoleOutput.Credentials.SessionToken,
};

Note that this will prevent the CDK CLI from refreshing the credentials when needed, and may cause your workflow to fail on an expired credentials error.

References

[1] https://docs.aws.amazon.com/cdk/v2/guide/home.html

[2] https://docs.aws.amazon.com/cdk/v2/guide/cli.html

[3] https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-config

[4] https://www.npmjs.com/package/@aws-cdk/cli-plugin-contract

[5] https://github.com/aws/aws-cdk/releases/tag/v2.178.2

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.7 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "aws-cdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.172.0"
            },
            {
              "fixed": "2.178.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "cdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.172.0"
            },
            {
              "fixed": "2.178.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-2598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-497"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:43:09Z",
    "nvd_published_at": "2025-03-21T15:15:43Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects. \n\nAn issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an `expiration `property in the credentials object are affected by this issue. Plugins that omit the `expiration` property are not affected. \n\n## Impact\n\nWhen customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an `expiration` property, the AWS credentials retrieved by the plugin may be returned in the console output. Any user with access where the CDK CLI was ran would have access to this output. \n\nThe following are examples of configuring a custom credential plugin: \n\n_Via command line option:_\n\n`cdk deploy --plugin /path/to/plugin`\n\n_Via configuration file [3]:_\n\n```json\n{\n  \"plugin\": \"/path/to/plugin\"\n}\n```\n\nPlugins that return an `expiration` property in the credentials object, such as the following example, are affected:\n\n```console\nreturn {\n    accessKeyId: \u0027\u003caccess-key\u003e\u0027,\n    secretAccessKey: \u0027\u003csecret-access-key\u003e\u0027,\n    sessionToken: \u0027\u003csession-token\u003e\u0027,\n    expiration: \u003cdate\u003e,\n};\n```\n\nThe `expiration` property indicates that the provided credentials are temporary. \n\nPlease refer to our \"AWS CDK CLI Library\" guide for more information about custom credential plugins [4].\n\n## Impacted versions:  \u003e=2.172.0 and \u003c2.178.2\n\n## Patches\n\nThe issue has been addressed in version 2.178.2 [5]. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. \n\n## Workarounds\n\nIf you are unable to upgrade to version 2.178.2 or later, you can downgrade to version 2.171.1. If you are unable to downgrade, but have access to the code of the credential plugin you use, you can remove the `expiration` property from the object returned by the plugin.\n\nFor example, change the code from returning this:\n\n```javascript\nreturn {\n    accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,\n    secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,\n    sessionToken: assumeRoleOutput.Credentials.SessionToken,\n\n    // Expiration indicates to the CLI that this is temporary\n    expiration: assumeRoleOutput.Credentials.Expiration,\n};\n```\n\nTo return this:\n\n```javascript\nreturn {\n    accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,\n    secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,\n    sessionToken: assumeRoleOutput.Credentials.SessionToken,\n};\n```\n\nNote that this will prevent the CDK CLI from refreshing the credentials when needed, and may cause your workflow to fail on an expired credentials error. \n\n## References\n\n[1] https://docs.aws.amazon.com/cdk/v2/guide/home.html\n\n[2] https://docs.aws.amazon.com/cdk/v2/guide/cli.html\n\n[3] https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-config\n\n[4] https://www.npmjs.com/package/@aws-cdk/cli-plugin-contract\n\n[5] https://github.com/aws/aws-cdk/releases/tag/v2.178.2",
  "id": "GHSA-v63m-x9r9-8gqp",
  "modified": "2025-10-14T21:58:44Z",
  "published": "2025-03-21T17:43:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2598"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-005"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-cdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-cdk/releases/tag/v2.178.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AWS CDK CLI prints AWS credentials retrieved by custom credential plugins"
}

FKIE_CVE-2025-2598

Vulnerability from fkie_nvd - Published: 2025-03-21 15:15 - Updated: 2025-10-14 19:15

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
ff89ba41-3aa1-4d27-914a-91399e9639e5	https://aws.amazon.com/security/security-bulletins/AWS-2025-005/	Vendor Advisory
ff89ba41-3aa1-4d27-914a-91399e9639e5	https://github.com/aws/aws-cdk/releases/tag/v2.178.2
ff89ba41-3aa1-4d27-914a-91399e9639e5	https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	amazon	aws_cloud_development_kit	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D58DAB0A-9735-4832-B092-ECCD20545D1F",
              "versionEndExcluding": "2.178.2",
              "versionStartIncluding": "2.172.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
    },
    {
      "lang": "es",
      "value": "Cuando se utiliza la interfaz de l\u00ednea de comandos (CLI) de AWS CDK de AWS Cloud Development Kit (AWS CDK) con un complemento de credenciales que devuelve una propiedad de expiraci\u00f3n con las credenciales de AWS recuperadas, estas se imprimen en la salida de la consola. Para mitigar este problema, los usuarios deben actualizar a la versi\u00f3n 2.178.2 o posterior y asegurarse de que cualquier c\u00f3digo bifurcado o derivado est\u00e9 parcheado para incorporar las nuevas correcciones."
    }
  ],
  "id": "CVE-2025-2598",
  "lastModified": "2025-10-14T19:15:39.090",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-21T15:15:43.120",
  "references": [
    {
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-005/"
    },
    {
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "url": "https://github.com/aws/aws-cdk/releases/tag/v2.178.2"
    },
    {
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp"
    }
  ],
  "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-497"
        }
      ],
      "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-2598 (GCVE-0-2025-2598)

GHSA-V63M-X9R9-8GQP

Summary

Impact

Impacted versions: >=2.172.0 and <2.178.2

Patches

Workarounds

References

FKIE_CVE-2025-2598

Tags

Sightings

Nomenclature