Overly Permissive Trust Policy in Harmonix on AWS EKS
Bulletin ID: AWS-2025-031
Scope:
AWS
Content Type:
Informational
Publication Date: 2025/12/15 11:45 AM PST
Last Updated: 2025/12/16 15:00 PM PST
Description:
Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM role trust policy in the Harmonix on AWS framework may allow IAM principals from the same AWS account with sts:AssumeRole permissions to escalate privileges via role assumption. The sample code for the EKS environment provisioning role was configured to trust the account root principal, which may enable IAM principals in that AWS account with sts:AssumeRole permissions on the EKS environment provisioning role to assume that role with administrative privileges. .
Impacted versions: v0.3.0 through v0.4.1
Resolution:
This issue has been addressed in Harmonix on AWS version 0.4.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
If you cannot immediately upgrade to version 0.4.2 or later, we recommend reviewing and restricting the IAM role trust policies in your Harmonix on AWS deployment, particularly focusing on the EKS environment provisioning role to ensure it does not trust the account root principal, and instead only allows IAM principals that you intend for have permissions to assume it. The provisioning role from the sample code can be found in the IAM console and will have the following name pattern:
*-eks-*-provisioning-role
CloudTrail events can be reviewed and monitored for 'AssumeRole' event names where the requestParameters.roleArn field includes the ARN of the provisioning role. Additionally, we recommend avoiding the use of the sts:AssumeRole permission with all roles or wildcard (`*`), and only granting sts:AssumeRole permissions for specific IAM roles in your identity based policies.
References:
Acknowledgement:
We would like to thank Security researcher r00tdaddy for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.