CVE-2025-23206: 
JavaScript vulnerability analysis and mitigation

The AWS Cloud Development Kit (AWS CDK) versions prior to 2.177.0 contain a security vulnerability in the IAM OIDC custom resource provider package. The vulnerability exists because the tls.connect method always sets rejectUnauthorized: false when downloading CA Thumbprints as part of the custom resource workflow, which could potentially allow connections to unauthorized OIDC providers (GitHub Advisory). The vulnerability was discovered in January 2025 and assigned CVE-2025-23206.

The vulnerability stems from the implementation in the aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts file where the TLS connection is established without proper verification. The code bypasses verification against the list of trusted CAs by setting rejectUnauthorized: false in the TLS connection options (GitHub Code). The vulnerability has been assigned a CVSS v4.0 score of 1.8 (LOW) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (NVD).

The impact of this vulnerability is considered low severity because the issuer URL is provided by CDK users who define the CDK application. Additionally, the vulnerable code runs in a Lambda environment, which helps mitigate potential Man-in-the-Middle (MITM) attacks. However, the insecure connection could potentially expose the application to unauthorized OIDC providers if explicitly configured by users (GitHub Advisory).

The vulnerability will be patched in AWS CDK version 2.177.0, expected to release on February 22, 2025. Users should upgrade to this version when available and enable the feature flag '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections' by setting it to true in either cdk.context.json or cdk.json. There are no known workarounds for this vulnerability other than the upgrade path (GitHub Advisory).