CVE-2025-23206 – AWS CDK's IAM OIDC custom resource provider has... (How to Fix)

Q: What is the severity of CVE-2025-23206?

CVE-2025-23206 has a CVSS score of 8.1 (HIGH). AWS CDK's IAM OIDC custom resource provider has a TLS certificate validation vulnerability where it accepts unauthorized connections. This allows potential man-in-the-middle attacks against OIDC provider communications. Only users of AWS CDK's IAM OIDC custom resource provider are affected.

📋 TL;DR

AWS CDK's IAM OIDC custom resource provider has a TLS certificate validation vulnerability where it accepts unauthorized connections. This allows potential man-in-the-middle attacks against OIDC provider communications. Only users of AWS CDK's IAM OIDC custom resource provider are affected.

💻 Affected Systems

Products:

AWS Cloud Development Kit (AWS CDK)

Versions: All versions before v2.177.0

Operating Systems: All platforms running AWS CDK

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users of the IAM OIDC custom resource provider package. The vulnerability exists in Lambda execution environment.

📦 What is this software?

Aws Cloud Development Kit by Amazon

View all CVEs affecting Aws Cloud Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept and manipulate OIDC provider communications, potentially compromising IAM role trust relationships and gaining unauthorized AWS access.

🟠

Likely Case

Limited impact due to Lambda environment isolation and user-controlled OIDC provider URLs, but could enable credential theft in targeted attacks.

🟢

If Mitigated

With proper TLS validation enabled, all unauthorized connections are rejected, preventing MITM attacks.

🌐 Internet-Facing: MEDIUM - OIDC provider connections may be internet-facing, but exploitation requires specific targeting and MITM positioning.

🏢 Internal Only: LOW - Most OIDC provider communications are to external identity providers, not internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires man-in-the-middle position between CDK Lambda and OIDC provider, plus knowledge of specific CDK deployments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CDK v2.177.0 (expected release 2025-02-22)

Vendor Advisory: https://github.com/aws/aws-cdk/issues/32920

Restart Required: No

Instructions:

1. Upgrade to CDK v2.177.0 or later. 2. Set feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' to true in cdk.context.json or cdk.json. 3. Redeploy CDK applications.

🔧 Temporary Workarounds

No workarounds available

all

AWS states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Monitor OIDC provider connections for unusual activity or certificate warnings
Consider temporarily disabling IAM OIDC custom resource usage if not essential

🔍 How to Verify

Check if Vulnerable:

Check if using AWS CDK IAM OIDC custom resource provider and version is below v2.177.0

Check Version:

cdk --version

Verify Fix Applied:

Verify CDK version is v2.177.0+ and feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true

📡 Detection & Monitoring

Log Indicators:

Lambda execution logs showing TLS certificate validation failures or warnings
CloudTrail logs showing unusual IAM OIDC provider modifications

Network Indicators:

Unusual network traffic patterns between Lambda functions and OIDC providers
Certificate validation failures in network monitoring

SIEM Query:

source:cloudtrail AND (eventName:AssumeRoleWithWebIdentity OR eventName:UpdateAssumeRolePolicy) AND errorCode:*

📊 Metadata

CVE ID: CVE-2025-23206

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-347

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: January 17, 2025

Last Updated: January 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23206, you might also want to check these: