CVE-2025-23206
Published: 17 January 2025
Description
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22). Once upgraded, users should make sure the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`. There are no known workarounds for this vulnerability.
Security Summary
CVE-2025-23206 is a vulnerability in the AWS Cloud Development Kit (AWS CDK), an open-source framework for defining and provisioning AWS infrastructure via CloudFormation. It specifically affects users of the IAM OIDC custom resource provider package, where the `tls.connect` method always sets `rejectUnauthorized: false` during the workflow to download CA Thumbprints from a user-provided OIDC issuer URL. This disables TLS certificate validation, contrary to best practices that recommend `rejectUnauthorized: true`.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), associated with CWE-347. Exploitation requires low privileges (PR:L) and can occur over the network with low complexity and no user interaction. An attacker could potentially perform a man-in-the-middle attack to intercept or tamper with CA Thumbprints, leading to high confidentiality and integrity impacts. However, the advisory designates it low severity due to user control over the issuer URL and execution within a Lambda environment, which mitigates practical MITM risks.
Mitigation requires upgrading to AWS CDK v2.177.0, expected on 2025-02-22. Post-upgrade, users must enable the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' set to true in `cdk.context.json` or `cdk.json`, as the change is opt-in to avoid breaking existing applications. No workarounds are available. Details are in AWS CDK GitHub issues #32920 and #32921, pull request #32921, the external.ts source code, and feature flag documentation.
This vulnerability has no reported real-world exploitation. The patch remains in progress as of the CVE publication on 2025-01-17.
Details
- CWE(s)