CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-14503

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1

CSIRTS triage

What
An overly-permissive IAM trust policy may allow privilege escalation via role assumption.
Who is affected
Authenticated users of Harmonix on AWS.
Urgency
Remediation is necessary to prevent potential privilege escalation.
Action
Update the IAM trust policy in Harmonix on AWS to restrict permissions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2025-14503

Get an email if CVE-2025-14503 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2025-14503

CVE.org record

Embed the live status

CVE-2025-14503 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-14503 status](https://www.csirts.com/badge/CVE-2025-14503)](https://www.csirts.com/cve/CVE-2025-14503)