CVE-2025-14503

HIGH

Harmonix on AWS <0.4.2 - Privilege Escalation

Title source: llm

Description

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

References (3)

[Issue Tracking] https://github.com/awslabs/harmonix/pull/189

[Patch, Vendor Advisory] https://aws.amazon.com/security/security-bulletins/AWS-2025-031/

[Vendor Advisory] https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw

Scores

CVSS v3 7.2

EPSS 0.0007

EPSS Percentile 21.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-266

Status published

Products (1)

amazon/harmonix 0.3.0 - 0.4.2

Published Dec 15, 2025

Tracked Since Feb 18, 2026