AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

Vulnerability

Overview

CVE-2025-2598 affects the AWS Cloud Development Kit (AWS CDK) Command Line Interface (CLI) when used with custom credential plugins that return an expiration property in the credentials object. In affected versions (>=2.172.0 and <2.178.2), the CLI inadvertently prints the retrieved AWS credentials—including accessKeyId, secretAccessKey, and sessionToken—to the console output [2][3]. Plugins that omit the expiration property are not affected [3][4].

Exploitation

Conditions

An attacker does not need direct network access to the CDK CLI process; instead, they require access to the console or log output where the CDK CLI was executed. This could occur in shared development environments, CI/CD pipelines, or any system where console output is captured and stored. The vulnerability is triggered automatically when a credential plugin returns temporary credentials with an expiration field, as the CLI logs the entire credentials object [3][4].

Impact

If exploited, an attacker with access to the console output can obtain valid AWS temporary credentials. These credentials could be used to perform actions within the AWS account associated with the CDK deployment, potentially leading to unauthorized resource access, data exfiltration, or privilege escalation. The severity is heightened because the credentials are printed in plaintext and may remain in logs indefinitely [3][4].

Mitigation

AWS has released a fix in CDK CLI version 2.178.2 [3][4]. Users should upgrade immediately. For those unable to upgrade, a workaround is to downgrade to version 2.171.1 or modify the credential plugin to omit the expiration property if temporary credentials are not required. Additionally, users should audit console logs for any leaked credentials and rotate them if found [4].