Incorrect Execution-Assigned Permissions Affecting aws-cdk-lib package, versions >=2.172.0 <2.189.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-AWSCDKLIB-9712558
- published16 Apr 2025
- disclosed15 Apr 2025
- creditUnknown
Introduced: 15 Apr 2025
New CVE NOT AVAILABLE CWE-279 (opens in a new tab)How to fix?
Upgrade aws-cdk-lib to version 2.189.1 or higher.
Overview
aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library
Affected versions of this package are vulnerable to Incorrect Execution-Assigned Permissions when creating Aspects with the default execution order configured. An attacker can manipulate the permissions boundary of a role by assigning DEFAULT permissions to a custom Aspect, which can be overridden by a built-in CDK method using MUTATING permission. This is likely to have the effect of custom Aspects having lower than the expected permissions, but the possibility exists in environments with very permissive policies that the result would be higher than expected permissions.
Workaround
This vulnerability can be mitigated by reverting to the location hierarchy logic to order the invocation of Aspects. This can be accomplished by a method like
Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries(), {
priority: AspectPriority.MUTATING,
});