CVE-2025-8904
Bulletin ID: AWS-2025-017 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/08/13 10:00 PM PDT Description: Amazon EMR is a managed cluster platform that simplifies running big data frameworks on AWS to process and analyze vast amounts of data. We identified CVE-2025-8904, an issue in the Amazon EMR Secret Agent component. The Secret Agent component securely stores secrets and distributes secrets to other Amazon EMR components and applications. When using Amazon EMR clusters with one or more Lake Formation, Apache Ranger, runtime role, or Identity Center feature that uses this component, Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. We implemented a fix that removes /tmp/ as a staging directory for Kerberos credentials, eliminating the possibility of users accessing the keytab file. The fix is available in Amazon EMR release 7.5 and higher. Affected versions: Amazon EMR version 6.10 through 7.4
CSIRTS triage
- What
- An issue allows a user to potentially decrypt Kerberos credentials stored in a keytab file.
- Who is affected
- Users with access to the /tmp/ directory in Amazon EMR clusters using certain features.
- Urgency
- Remediation is urgent due to the potential for privilege escalation.
- Action
- Remove the /tmp/ directory keytab file as part of the fix.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2025-8904
Get an email if CVE-2025-8904 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.31% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 23% of all EPSS-scored CVEs.
Advisory coverage (1)
- highCVE-2025-8904 - Issue with Amazon EMR Secret Agent componentaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-8904)