CVE-2025-2598: AWS CDK CLI prints AWS credentials retrieved by custom credential plugins
First published: Fri Mar 21 2025(Updated: )
## Summary The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects. An issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an `expiration `property in the credentials object are affected by this issue. Plugins that omit the `expiration` property are not affected. ## Impact When customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an `expiration` property, the AWS credentials retrieved by the plugin may be returned in the console output. Any user with access where the CDK CLI was ran would have access to this output. The following are examples of configuring a custom credential plugin: _Via command line option:_ `cdk deploy --plugin /path/to/plugin` _Via configuration file [3]:_ ```json { "plugin": "/path/to/plugin" } ``` Plugins that return an `expiration` property in the credentials object, such as the following example, are affected: ```console return { accessKeyId: '<access-key>', secretAccessKey: '<secret-access-key>', sessionToken: '<session-token>', expiration: <date>, }; ``` The `expiration` property indicates that the provided credentials are temporary. Please refer to our "AWS CDK CLI Library" guide for more information about custom credential plugins [4]. ## Impacted versions: >=2.172.0 and <2.178.2 ## Patches The issue has been addressed in version 2.178.2 [5]. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. ## Workarounds If you are unable to upgrade to version 2.178.2 or later, you can downgrade to version 2.171.1. If you are unable to downgrade, but have access to the code of the credential plugin you use, you can remove the `expiration` property from the object returned by the plugin. For example, change the code from returning this: ```javascript return { accessKeyId: assumeRoleOutput.Credentials.AccessKeyId, secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey, sessionToken: assumeRoleOutput.Credentials.SessionToken, // Expiration indicates to the CLI that this is temporary expiration: assumeRoleOutput.Credentials.Expiration, }; ``` To return this: ```javascript return { accessKeyId: assumeRoleOutput.Credentials.AccessKeyId, secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey, sessionToken: assumeRoleOutput.Credentials.SessionToken, }; ``` Note that this will prevent the CDK CLI from refreshing the credentials when needed, and may cause your workflow to fail on an expired credentials error. ## References [1] https://docs.aws.amazon.com/cdk/v2/guide/home.html [2] https://docs.aws.amazon.com/cdk/v2/guide/cli.html [3] https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-config [4] https://www.npmjs.com/package/@aws-cdk/cli-plugin-contract [5] https://github.com/aws/aws-cdk/releases/tag/v2.178.2
Credit: ff89ba41-3aa1-4d27-914a-91399e9639e5
| Affected Software | Affected Version | How to fix |
|---|---|---|
| AWS Cloud Development Kit Command Line Interface | <2.178.2 | |
| npm/cdk | >=2.172.0<2.178.2 | 2.178.2 |
| npm/aws-cdk | >=2.172.0<2.178.2 | 2.178.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://aws.amazon.com/security/security-bulletins/AWS-2025-005/
- https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp
- https://nvd.nist.gov/vuln/detail/CVE-2025-2598
- https://aws.amazon.com/security/security-bulletins/AWS-2025-005
- https://github.com/advisories/GHSA-v63m-x9r9-8gqp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-2598?
CVE-2025-2598 is classified as a security vulnerability that exposes sensitive AWS credentials in command line output.
How do I fix CVE-2025-2598?
To fix CVE-2025-2598, you should upgrade the AWS Cloud Development Kit Command Line Interface to version 2.178.2 or later.
What software is affected by CVE-2025-2598?
CVE-2025-2598 specifically affects the AWS Cloud Development Kit Command Line Interface prior to version 2.178.2.
What is the impact of CVE-2025-2598?
The impact of CVE-2025-2598 includes the potential exposure of AWS credentials, which can lead to unauthorized access to AWS resources.
How does CVE-2025-2598 occur?
CVE-2025-2598 occurs when the AWS CDK CLI is used with a credential plugin that outputs AWS credentials containing an expiration property to the console.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/severity
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v63m-x9r9-8gqp
- alias/CVE-2025-2598
- collector/nvd-cve
- source/NVD
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/description
- agent/event
- collector/nvd-api
- agent/source
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- vendor/aws
- canonical/aws cloud development kit command line interface
- package-manager/npm