CVE-2025-2598

MEDIUM

AWS Cloud Development Kit 2.172.0-2.178.2 - Exposure of Sensitive System Information via Credential Plugin

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-2598. PoCs published by Catnip-Express-Maxim, SallyXVIII.

AI-analyzed exploit summary This script exploits a vulnerability in AWS CDK versions 2.172-2.178.0/1 to extract AWS credentials from a plugin file and exfiltrate logs to a remote server. It checks for specific CDK versions and extracts access keys, secret keys, session tokens, and expiration dates.

Description

When the AWS Cloud Development Kit (AWS CDK) Command Line Interface (AWS CDK CLI) is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178.2 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Exploits (2)

nomisec WORKING POC

by Catnip-Express-Maxim · poc

https://github.com/Catnip-Express-Maxim/AWSTESTEXPLOIT

View Code ZIP pw:eip

This script exploits a vulnerability in AWS CDK versions 2.172-2.178.0/1 to extract AWS credentials from a plugin file and exfiltrate logs to a remote server. It checks for specific CDK versions and extracts access keys, secret keys, session tokens, and expiration dates.

Classification

Working Poc 80%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: AWS CDK versions 2.172-2.178.0/1

No auth needed

Prerequisites: AWS CDK installed · Specific CDK version range (2.172-2.178.0/1) · Presence of a plugin file with AWS credentials

MITRE ATT&CK

T1552 - Unsecured Credentials T1041 - Exfiltration Over C2 Channel

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by SallyXVIII · poc

https://github.com/SallyXVIII/Final-Proj

View Code ZIP pw:eip

This script exploits a vulnerability in AWS CDK versions 2.172-2.178 and 2.178.0-1 to extract AWS credentials from a plugin file. It checks for the presence of the CDK tool, verifies the version, and extracts credentials if the vulnerable version is detected.

Classification

Working Poc 80%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: AWS CDK versions 2.172-2.178 and 2.178.0-1

No auth needed

Prerequisites: AWS CDK installed and configured on the target system · Presence of the vulnerable plugin file

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

https://aws.amazon.com/security/security-bulletins/AWS-2025-005/

Vendor Advisory third-party-advisory

https://github.com/aws/aws-cdk/security/advisories/GHSA-v63m-x9r9-8gqp

Release Notes patch

https://github.com/aws/aws-cdk/releases/tag/v2.178.2

Scores

CVSS v3 5.5

EPSS 0.0007

EPSS Percentile 22.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-497

Status published

Products (3)

amazon/aws_cloud_development_kit 2.172.0 - 2.178.2

npm/aws-cdk 2.172.0 - 2.178.2npm

npm/cdk 2.172.0 - 2.178.2npm

Published Mar 21, 2025

Tracked Since Feb 18, 2026