CVE-2025-14503
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges.
We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AWS | Harmonix on AWS | 0.3.0 < 0.4.2 | affected |
Weaknesses
- CWE-266: CWE-266 Incorrect Privilege Assignment
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/awslabs/harmonix/pull/189
- https://aws.amazon.com/security/security-bulletins/AWS-2025-031/
- https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.