CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk

🗓️ 17 Jan 2025 20:34:50Reported by GoogleType

osv🔗 osv.dev👁 2 Views

CDK security advisory: tls.connect ignores cert validity for OpenID Connect providers; enable feature flag after upgrade.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-23206	17 Jan 202520:39	–	circl
CNNVD	AWS Cloud Development Kit 数据伪造问题漏洞	17 Jan 202500:00	–	cnnvd
CVE	CVE-2025-23206	17 Jan 202520:34	–	cve
Cvelist	CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk	17 Jan 202520:34	–	cvelist
EUVD	EUVD-2025-0113	3 Oct 202520:07	–	euvd
Github Security Blog	AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider	17 Jan 202521:22	–	github
NVD	CVE-2025-23206	17 Jan 202521:15	–	nvd
OSV	GHSA-V4MQ-X674-FF73 AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider	17 Jan 202521:22	–	osv
Positive Technologies	PT-2025-4846	17 Jan 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-23206	9 Jan 202610:58	–	redhatcve

Source	Link
docs	www.docs.aws.amazon.com/cdk/v2/guide/featureflags.html
github	www.github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
github	www.github.com/aws/aws-cdk/releases/tag/v2.177.0
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23206.json
github	www.github.com/aws/aws-cdk/security/advisories/GHSA-v4mq-x674-ff73
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-23206
github	www.github.com/aws/aws-cdk/issues/32920
github	www.github.com/aws/aws-cdk/commit/3e4f3773bfa48b75bf0adc7d53d46bbec7714a9e
github	www.github.com/aws/aws-cdk/pull/32921

10 Apr 2026 05:22Current

6.7Medium risk

Vulners AI Score6.7

CVSS 41.8

EPSS0.00068