CVE-2025-2598 – The AWS CDK CLI prints AWS credentials to conso... (How to Fix)

Q: What is the severity of CVE-2025-2598?

CVE-2025-2598 has a CVSS score of 5.5 (MEDIUM). The AWS CDK CLI prints AWS credentials to console output when used with credential plugins that return expiration properties. This exposes sensitive credentials to anyone with access to console logs. Users of AWS CDK CLI with credential plugins are affected.

📋 TL;DR

The AWS CDK CLI prints AWS credentials to console output when used with credential plugins that return expiration properties. This exposes sensitive credentials to anyone with access to console logs. Users of AWS CDK CLI with credential plugins are affected.

💻 Affected Systems

Products:

AWS Cloud Development Kit (AWS CDK) Command Line Interface

Versions: Versions before 2.178.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using credential plugins that return expiration properties with credentials.

📦 What is this software?

Aws Cloud Development Kit by Amazon

View all CVEs affecting Aws Cloud Development Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

AWS credentials are captured from console logs, leading to unauthorized access to AWS resources, data exfiltration, or resource hijacking.

🟠

Likely Case

Credentials exposed in development or CI/CD logs, potentially compromising AWS accounts if logs are not properly secured.

🟢

If Mitigated

Minimal impact if proper credential management and log security controls are in place.

🌐 Internet-Facing: LOW - This requires access to console output, typically not directly internet-facing.

🏢 Internal Only: MEDIUM - Internal users or systems with access to console logs could capture credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simply requires viewing console output where credentials are printed.

Exploitation requires access to console logs where AWS CDK CLI output is captured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.178.2 or later

Vendor Advisory: https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp

Restart Required: No

Instructions:

1. Update AWS CDK CLI using npm: 'npm update -g aws-cdk' 2. Verify version with 'cdk --version' 3. Ensure version is 2.178.2 or higher

🔧 Temporary Workarounds

Avoid credential plugins with expiration properties

all

Temporarily stop using credential plugins that return expiration properties until patched.

Secure console output

linux

Redirect or filter AWS CDK CLI output to prevent credential exposure in logs.

# Example: Pipe output to file and filter sensitive data
cdk deploy 2>&1 | grep -v 'credentials' > output.log

🧯 If You Can't Patch

Monitor and secure all logs containing AWS CDK CLI output
Implement strict access controls for systems running AWS CDK CLI

🔍 How to Verify

Check if Vulnerable:

Check if using AWS CDK CLI version below 2.178.2 with credential plugins returning expiration properties.

Check Version:

cdk --version

Verify Fix Applied:

Run 'cdk --version' and confirm version is 2.178.2 or higher.

📡 Detection & Monitoring

Log Indicators:

AWS credentials appearing in console logs
AWS CDK CLI output containing credential strings

Network Indicators:

Unusual AWS API calls from unexpected locations if credentials are compromised

SIEM Query:

source="console_logs" AND "AWS_ACCESS_KEY_ID" OR "AWS_SECRET_ACCESS_KEY"

📊 Metadata

CVE ID: CVE-2025-2598

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-497

EPSS Score: 0.04% exploit probability (11.9th percentile)

Published: March 21, 2025

Last Updated: October 14, 2025

🔗 References

https://aws.amazon.com/security/security-bulletins/AWS-2025-005/ Vendor Advisory
https://github.com/aws/aws-cdk/releases/tag/v2.178.2
https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2598, you might also want to check these: