CVE-2025-14503

Overly Permissive Trust Policy in Harmonix on AWS EKS

Description

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

INFO

Published Date :

2025-12-15T19:45:00.729Z

Last Modified :

2025-12-16T23:13:44.545Z

Source :

AMZN

AFFECTED PRODUCTS

The following products are affected by CVE-2025-14503 vulnerability.

Vendors	Products
Amazon	Aws Harmonix

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-14503.

URL	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-031/
https://github.com/awslabs/harmonix/pull/189
https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact