Skip to main content

Improper Verification of Cryptographic Signature

CVE-2025-23206

Severity Low
Score 1.8/10

Summary

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow. However, the current `tls.connect` method will always set `rejectUnauthorized: false`, which is a potential security concern. CDK should follow the best practice and set `rejectUnauthorized: true`. However, this could be a breaking change for existing CDK applications, and we should fix this with a feature flag. Note that this is marked as low severity Security advisory because the issuer url is provided by CDK users who define the CDK application. If they insist on connecting to an unauthorized OIDC provider, CDK should not disallow this. Additionally, the code block is run in a Lambda environment, which mitigates the MITM attack. This vulnerability affects aws-cdk-lib package versions through 2.176.0. To mitigate this, upgrade to CDK v2.177.0. Once upgraded, users should make sure the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' is set to true in `cdk.context.json` or `cdk.json`.

  • HIGH
  • NETWORK
  • ACTIVE
  • HIGH

CWE-347 - Improper Verification of Cryptographic Signature

A cryptographic protocol is meant to ensure that services are provided in a secure manner. An application with absent or improper verification of cryptographic signatures allows malicious users to feed false messages to valid users or to disclose sensitive data, subverting the goals of the protocol. This can lead to security failures such as false authentication, account hijacking, and privilege escalation.

Advisory Timeline

  • Published