GHSA-qc59-cxj2-c2w4: 
JavaScript vulnerability analysis and mitigation

The AWS Cloud Development Kit (AWS CDK) version 2.172.0 introduced a vulnerability identified as GHSA-qc59-cxj2-c2w4, affecting aws-cdk-lib versions 2.172.0 to 2.189.1. The issue involves an aspect order change that causes unexpected permissions boundary assignments to IAM roles. This vulnerability was discovered and disclosed in April 2025, impacting applications using custom aspects for permissions boundary assignments (GitHub Advisory).

The vulnerability stems from a new priority system introduced for Aspects execution. Prior to version 2.172.0, CDK executed Aspects based on hierarchical location. The new system introduced different priority classes: MUTATING (priority 200) for CDK API-added Aspects and DEFAULT (priority 500) for user-added Aspects. This change altered the invocation order, causing unexpected behavior when custom Aspects assign default permissions boundaries that are meant to be overridden by built-in CDK methods. The vulnerability has a CVSS score of 2.2 (Low) with a vector string of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can result in IAM roles receiving incorrect permissions boundaries. This could lead to two potential scenarios: roles having insufficient permissions to perform their intended functions, or roles potentially having wider permissions than intended when combined with overly permissive role policies. However, the latter scenario requires additional misconfiguration as permissions boundaries themselves do not grant permissions (GitHub Advisory).

The issue has been patched in version 2.189.1, which reverts to the pre-2.172.0 behavior. Users can access the new behavior through a feature flag: '{"context": {"@aws-cdk/core:aspectPrioritiesMutating": true}}'. As a workaround, users can assign their custom Aspect a priority of MUTATING to ensure it has the same priority as the CDK API-added Aspect, allowing the location hierarchy to determine the invocation order (GitHub Advisory).

GoDaddy collaborated with AWS on this issue through the coordinated vulnerability disclosure process. The vulnerability was addressed promptly with a patch release and clear documentation of the issue (GitHub Advisory).