CVE-2025-23206

Name of the Vulnerable Software and Affected Versions AWS Cloud Development Kit (AWS CDK) versions prior to 2.177.0

Description The issue concerns the AWS Cloud Development Kit's (AWS CDK) handling of IAM OIDC custom resource provider packages. Specifically, the tls.connect method sets rejectUnauthorized: false, which is a potential security concern. This could allow unauthorized OIDC providers to be connected, although the risk is mitigated by the Lambda environment and the fact that users define the issuer URL. The estimated number of potentially affected devices is not provided. There are no reported real-world incidents where this issue was exploited. Technical details include the use of the tls.connect method with rejectUnauthorized: false, which bypasses verification against trusted CAs, leading to insecure transport. The rejectUnauthorized option should be set to true to follow best practices.

Recommendations Upgrade to AWS CDK version 2.177.0 or later. Once upgraded, set the feature flag @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections to true in cdk.context.json or cdk.json. As a temporary workaround, consider setting the environment variable NODE TLS REJECT UNAUTHORIZED to 1, which enables TLS verification. Restrict access to the vulnerable oidc-handler module to minimize the risk of exploitation. Avoid using the tls.connect method with rejectUnauthorized: false in the affected API endpoint until the issue is resolved.