CVE-2025-2598 MEDIUM

CVE-2025-2598: AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

Vendor Aws
Product Cloud Development Kit Command Line Interface
Weakness CWE-497
Published March 21, 2025
Last update October 14, 2025

CVSS base score

5.7/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Key dates

02Disclosure timeline

March 21, 2025 CVE published
October 14, 2025 Record updated