CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Overly Permissive Trust Policy in Harmonix on AWS EKS

unknownCVE-2025-14503
Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1

CSIRTS triage

What
An overly-permissive IAM trust policy may allow privilege escalation via role assumption.
Who is affected
Authenticated users of Harmonix on AWS.
Urgency
Remediation is necessary to prevent potential privilege escalation.
Action
Update the IAM trust policy in Harmonix on AWS to restrict permissions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Harmonix on AWS

Get an email when a new Harmonix on AWS advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-031/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-14503coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins