AWS CDK CLI Issue with Custom Credential Plugins
Published Fri, Mar 21st, 2025
Platforms
Summary
AWS identified a security issue in the AWS CDK CLI versions 2.172.0-2.178.1 where temporary credentials from custom credential plugins could be printed to console output. This potentially exposes sensitive information to users with access to the console. The issue affects plugins that include an expiration property when returning temporary credentials.
Affected Services
AWS CDK CLI
Remediation
Upgrade to AWS CDK CLI version 2.178.2 or later. Revoke temporary credentials, limit console access, and rotate long-lived IAM user credentials if affected.
Tracked CVEs
CVE-2025-2598
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitability Period
Until 2025/03/21
Known ITW Exploitation
-
Detection Methods
Scan logs of CDK CLI executions after December 6, 2024 for statements containing accessKeyId, secretAccessKey, and sessionToken. Look for output similar to: { accessKeyId: '<secret>', secretAccessKey: '<secret>', sessionToken: '<secret>', expiration: <date>, '$source': <object> }
Piercing Index Rating
-
Discovered by
AWS
