CVE-2025-23206 Information
Description
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However the current tls.connect method will always set rejectUnauthorized: false which is a potential security concern. CDK should follow the best practice and set rejectUnauthorized: true. However this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider CDK should not disallow this. Additionally the code block is run in a Lambda environment which mitigate the MITM attack. The patch is in progress. To mitigate upgrade to CDK v2.177.0 (Expected release date 2025-02-22). Once upgraded users should make sure the feature flag ‘@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections’ is set to true in cdk.context.json or cdk.json. There are no known workarounds for this vulnerability.
Reference
https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34
https://github.com/aws/aws-cdk/issues/32920
https://github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73
The
AWS
Cloud
Development
Kit
(AWS
CDK)
is
an
open-source
software
development
framework
to
define
cloud
infrastructure
in
code
and
provision
it
through
AWS
CloudFormation.
Users
who
use
IAM
OIDC
custom
resource
provider
package
will
download
CA
Thumbprints
as
part
of
the
custom
resource
workflow.
However
the
current
tls.connect
method
will
always
set
rejectUnauthorized: false
which
is
a
potential
security
concern.
CDK
should
follow
the
best
practice
and
set
rejectUnauthorized: true.
However
this
could
be
a
breaking
change
for
existing
CDK
applications
and
we
should
fix
this
with
a
feature
flag.
Note
that
this
is
marked
as
low
severity
Security
advisory
because
the
issuer
url
is
provided
by
CDK
users
who
define
the
CDK
application.
If
they
insist
on
connecting
to
a
unauthorized
OIDC
provider
CDK
should
not
disallow
this.
Additionally
the
code
block
is
run
in
a
Lambda
environment
which
mitigate
the
MITM
attack.
The
patch
is
in
progress.
To
mitigate
upgrade
to
CDK
v2.177.0
(Expected
release
date
2025-02-22).
Once
upgraded
users
should
make
sure
the
feature
flag
‘@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections’
is
set
to
true
in
cdk.context.json
or
cdk.json.
There
are
no
known
workarounds
for
this
vulnerability.