CVE-2025-2598: 
JavaScript vulnerability analysis and mitigation

CVE-2025-2598 affects the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) versions 2.172.0 through 2.178.1. The vulnerability occurs when the AWS CDK CLI is used with a credential plugin that returns an expiration property with the retrieved AWS credentials, causing these credentials to be printed to the console output (AWS Security Bulletin, NVD).

The vulnerability is triggered when customers run AWS CDK CLI commands with credential plugins configured to return temporary credentials that include an expiration property. The issue results in AWS credentials being exposed in the console output. The vulnerability has been assigned a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, indicating local access is required but the potential for high confidentiality impact (GitHub Advisory).

When exploited, the vulnerability allows any user with access to where the CDK CLI was run to view the AWS credentials that were retrieved by the plugin. This exposure could potentially lead to unauthorized access to AWS resources. The vulnerability specifically affects plugins that return an expiration property in the credentials object, while plugins that omit this property are not affected (AWS Security Bulletin).

AWS has released version 2.178.2 to address this vulnerability. Users are recommended to upgrade to this version or later. For those unable to upgrade, alternative workarounds include downgrading to version 2.171.1 or modifying credential plugins to remove the expiration property from the returned credentials object. However, removing the expiration property may prevent the CDK CLI from refreshing credentials when needed (AWS Security Bulletin, GitHub Advisory).