CVE-2025-14503

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-14503

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14503.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-14503

Aliases

GHSA-qm86-gqrq-mqcw

Published

2025-12-15T20:15:49.190Z

Modified

2026-04-10T05:23:46.503629Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges.

We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

References

Affected packages

Git / github.com/awslabs/harmonix

Affected ranges

Type

GIT

Repo

https://github.com/awslabs/harmonix

Events

Introduced

6452966b3558862c2d76eb81d6251edc7f084d09

Fixed

9b904e8f2e506b2a27c4276bd6f9c7d6e4721bc2

Database specific

{
    "versions": [
        {
            "introduced": "0.3.0"
        },
        {
            "fixed": "0.4.2"
        }
    ]
}

Affected versions

v0.*

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.4.0

v0.4.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14503.json"