Privilege Escalation Vulnerability in Harmonix on AWS Framework by AWS
CVE-2025-14503

8.6HIGH

Key Information:

Vendor

Aws

Status
Harmonix On Aws
Vendor
CVE Published:
15 December 2025

What is CVE-2025-14503?

The Harmonix on AWS framework contains a vulnerability due to an overly permissive IAM trust policy that permits authenticated users to escalate their privileges through role assumption. Specifically, the sample code for the EKS environment provisioning role trusts the account root principal, which can be exploited by any account principal possessing sts:AssumeRole permissions to assume the role with administrative privileges. To mitigate this risk, it is advisable for users to upgrade to Harmonix on AWS version 0.4.2 or later, especially if they are currently utilizing versions 0.3.0 through 0.4.1.

Affected Version(s)

Harmonix on AWS 0.3.0 < 0.4.2

References

https://github.com/awslabs/harmonix/pull/189
patch
https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/awslabs/harmonix/security/advisories/G...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-14503 : Privilege Escalation Vulnerability in Harmonix on AWS Framework by AWS