CVE-2025-23206
Published: 17 January 2025
Summary
CVE-2025-23206 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Amazon Aws Cloud Development Kit. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires cryptographic protection for transmission confidentiality and integrity, directly mitigating the MITM risk from tls.connect disabling certificate validation.
Mandates timely identification, reporting, and correction of software flaws, directly enabling upgrade to the patched CDK version that fixes rejectUnauthorized.
Establishes and enforces secure configuration settings, such as enabling the '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' feature flag post-upgrade.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability disables TLS certificate validation (rejectUnauthorized: false) when downloading CA thumbprints, directly enabling man-in-the-middle attacks to intercept or tamper with data, as explicitly described in the CVE.
NVD Description
The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part…
more
of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false` which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to a unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment which mitigate the MITM attack. The patch is in progress. To mitigate, upgrade to CDK v2.177.0 (Expected release date 2025-02-22). Once upgraded, users should make sure the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-23206 is a vulnerability in the AWS Cloud Development Kit (AWS CDK), an open-source framework for defining and provisioning AWS infrastructure via CloudFormation. It specifically affects users of the IAM OIDC custom resource provider package, where the `tls.connect` method always sets `rejectUnauthorized: false` during the workflow to download CA Thumbprints from a user-provided OIDC issuer URL. This disables TLS certificate validation, contrary to best practices that recommend `rejectUnauthorized: true`.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), associated with CWE-347. Exploitation requires low privileges (PR:L) and can occur over the network with low complexity and no user interaction. An attacker could potentially perform a man-in-the-middle attack to intercept or tamper with CA Thumbprints, leading to high confidentiality and integrity impacts. However, the advisory designates it low severity due to user control over the issuer URL and execution within a Lambda environment, which mitigates practical MITM risks.
Mitigation requires upgrading to AWS CDK v2.177.0, expected on 2025-02-22. Post-upgrade, users must enable the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' set to true in `cdk.context.json` or `cdk.json`, as the change is opt-in to avoid breaking existing applications. No workarounds are available. Details are in AWS CDK GitHub issues #32920 and #32921, pull request #32921, the external.ts source code, and feature flag documentation.
This vulnerability has no reported real-world exploitation. The patch remains in progress as of the CVE publication on 2025-01-17.
Details
- CWE(s)