Potential Insecure Connection in AWS Cloud Development Kit OIDC Custom Resource Provider
CVE-2025-23206

1.8LOW

Key Information:

Vendor: Aws
Status: Aws-cdk
Vendor: CVE Published:; 17 January 2025

What is CVE-2025-23206?

The AWS Cloud Development Kit (AWS CDK) is susceptible to an insecure connection setting in its OIDC custom resource provider package. The method tls.connect is currently configured to allow unauthorized connections by setting rejectUnauthorized: false, which may expose users to potential security risks. Although users can choose to connect to unauthorized OIDC providers, AWS CDK should implement best practices by setting rejectUnauthorized: true. This change could impact existing applications, and a feature flag should be introduced to manage this modification seamlessly. The execution of this code occurs in a Lambda environment, which reduces the potential for man-in-the-middle attacks. Users are advised to upgrade to AWS CDK version 2.177.0, expected for release on February 22, 2025, and to enable the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' in their configuration. Currently, there are no known workarounds for this issue.

Affected Version(s)

aws-cdk < 2.177.0

References

https://github.com/aws/aws-cdk/security/advisories/GHSA-v...

x_refsource_CONFIRM

https://github.com/aws/aws-cdk/issues/32920

x_refsource_MISC

https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751...

x_refsource_MISC

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 17, 2025
Vulnerability Reserved
Jan 13, 2025

Aws

What is CVE-2025-23206?

Affected Version(s)

References

CVSS V4

Timeline