Summary
AWS CDK CLI prints AWS credentials retrieved by custom credential plugins
The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects.
An issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an expiration property in the credentials object are affected by this issue. Plugins that omit the expiration property are not affected.
Impacted versions: >=2.172.0 and <2.178.2
Workarounds
If you are unable to upgrade to version 2.178.2 or later, you can downgrade to version 2.171.1. If you are unable to downgrade, but have access to the code of the credential plugin you use, you can remove the expiration property from the object returned by the plugin.
For example, change the code from returning this:
return {
accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,
secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,
sessionToken: assumeRoleOutput.Credentials.SessionToken,
// Expiration indicates to the CLI that this is temporary
expiration: assumeRoleOutput.Credentials.Expiration,
};
To return this:
return {
accessKeyId: assumeRoleOutput.Credentials.AccessKeyId,
secretAccessKey: assumeRoleOutput.Credentials.SecretAccessKey,
sessionToken: assumeRoleOutput.Credentials.SessionToken,
};
Note that this will prevent the CDK CLI from refreshing the credentials when needed, and may cause your workflow to fail on an expired credentials error.
References
[1] https://docs.aws.amazon.com/cdk/v2/guide/home.html
[2] https://docs.aws.amazon.com/cdk/v2/guide/cli.html
[3] https://docs.aws.amazon.com/cdk/v2/guide/cli.html#cli-config
[4] https://www.npmjs.com/package/@aws-cdk/cli-plugin-contract
Impact
When customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an expiration property, the AWS credentials retrieved by the plugin may be returned in the console output. Any user with access where the CDK CLI was ran would have access to this output.
The following are examples of configuring a custom credential plugin:
Via command line option:
cdk deploy --plugin /path/to/plugin
Via configuration file [3]:
{
"plugin": "/path/to/plugin"
}
Plugins that return an expiration property in the credentials object, such as the following example, are affected:
return {
accessKeyId: '<access-key>',
secretAccessKey: '<secret-access-key>',
sessionToken: '<session-token>',
expiration: <date>,
};
The expiration property indicates that the provided credentials are temporary.
Please refer to our "AWS CDK CLI Library" guide for more information about custom credential plugins [4].
CVE-2025-2598 has a CVSS score of 5.5 (Medium). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.178.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The issue has been addressed in version 2.178.2 [5]. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Frequently Asked Questions
- What is CVE-2025-2598? CVE-2025-2598 is a medium-severity security vulnerability in aws-cdk (npm), affecting versions >= 2.172.0, < 2.178.2. It is fixed in 2.178.2.
- How severe is CVE-2025-2598? CVE-2025-2598 has a CVSS score of 5.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2025-2598?
aws-cdk(npm) (versions >= 2.172.0, < 2.178.2)cdk(npm) (versions >= 2.172.0, < 2.178.2)
- Is there a fix for CVE-2025-2598? Yes. CVE-2025-2598 is fixed in 2.178.2. Upgrade to this version or later.
- Is CVE-2025-2598 exploitable, and should I be worried? Whether CVE-2025-2598 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-2598 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-2598?
- Upgrade
aws-cdkto 2.178.2 or later - Upgrade
cdkto 2.178.2 or later
- Upgrade