CVE-2025-14503
Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1
CSIRTS triage
- What
- An overly-permissive IAM trust policy may allow privilege escalation via role assumption.
- Who is affected
- Authenticated users of Harmonix on AWS.
- Urgency
- Remediation is necessary to prevent potential privilege escalation.
- Action
- Update the IAM trust policy in Harmonix on AWS to restrict permissions.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2025-14503
Get an email if CVE-2025-14503 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.43% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownOverly Permissive Trust Policy in Harmonix on AWS EKSaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-14503)