CVE-2024-45037 – A vulnerability in AWS Cloud Development Kit (C... (How to Fix)

Q: What is the severity of CVE-2024-45037?

CVE-2024-45037 has a CVSS score of 6.4 (MEDIUM). A vulnerability in AWS Cloud Development Kit (CDK) versions 2.142.0 through 2.148.0 allows authenticated Amazon Cognito users to gain unintended access to protected API resources when using RestApi construct with CognitoUserPoolAuthorizer and authorization scopes. This can lead to unauthorized data disclosure or modification. Only CDK applications using these specific configurations are affected.

📋 TL;DR

A vulnerability in AWS Cloud Development Kit (CDK) versions 2.142.0 through 2.148.0 allows authenticated Amazon Cognito users to gain unintended access to protected API resources when using RestApi construct with CognitoUserPoolAuthorizer and authorization scopes. This can lead to unauthorized data disclosure or modification. Only CDK applications using these specific configurations are affected.

💻 Affected Systems

Products:

AWS Cloud Development Kit (CDK)

Versions: >=2.142.0;<=2.148.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects CDK applications using RestApi construct with CognitoUserPoolAuthorizer and authorization scopes. Other configurations are not vulnerable.

📦 What is this software?

Aws Cloud Development Kit by Amazon

View all CVEs affecting Aws Cloud Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users bypass intended authorization scopes and gain full access to protected API resources, potentially leading to data exfiltration, unauthorized modifications, or privilege escalation.

🟠

Likely Case

Authenticated users access API endpoints they shouldn't have permission to use, resulting in unauthorized data viewing or limited modification capabilities.

🟢

If Mitigated

With proper monitoring and least privilege IAM policies, impact is limited to specific API endpoints rather than broader account compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated Cognito user access and specific CDK configuration. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: >=2.148.1

Vendor Advisory: https://github.com/aws/aws-cdk/security/advisories/GHSA-qj85-69xf-2vxq

Restart Required: No

Instructions:

1. Update AWS CDK to version 2.148.1 or newer using npm update -g aws-cdk or your package manager. 2. Re-deploy all affected CDK applications. 3. Verify the new deployment uses the patched version.

🔧 Temporary Workarounds

Temporary API Gateway Configuration

all

Manually adjust API Gateway authorization settings in AWS Console to enforce proper scopes

🧯 If You Can't Patch

Review and tighten IAM policies for affected API resources to minimize potential damage
Implement additional API Gateway request validation and monitoring for unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check if CDK version is between 2.142.0 and 2.148.0 inclusive, and application uses RestApi with CognitoUserPoolAuthorizer and authorization scopes

Check Version:

cdk --version

Verify Fix Applied:

Confirm CDK version is 2.148.1 or newer and re-deployed application shows proper authorization behavior

📡 Detection & Monitoring

Log Indicators:

API Gateway logs showing authenticated users accessing endpoints outside their scopes
CloudTrail events showing unexpected API method executions

Network Indicators:

Unusual API request patterns from authenticated users
Requests to protected endpoints without proper scope headers

SIEM Query:

source="aws.cloudtrail" eventName="ExecuteApi" errorCode="AccessDenied" | stats count by userIdentity.principalId, eventSource, eventName

📊 Metadata

CVE ID: CVE-2024-45037

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-863

Published: August 27, 2024

Last Updated: September 22, 2025

🔗 References

https://docs.aws.amazon.com/cdk/v2/guide/home.html Product
https://github.com/aws/aws-cdk/commit/4bee768f07e73ab5fe466f9ad3d1845456a0513b Patch
https://github.com/aws/aws-cdk/releases/tag/v2.148.1 Release Notes
https://github.com/aws/aws-cdk/security/advisories/GHSA-qj85-69xf-2vxq Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45037, you might also want to check these: