Vulnerability Description
An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Harmonix | >= 0.3.0, < 0.4.2 |
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-031/PatchVendor Advisory
- https://github.com/awslabs/harmonix/pull/189Issue Tracking
- https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcwVendor Advisory
FAQ
What is CVE-2025-14503?
CVE-2025-14503 is a vulnerability with a CVSS score of 7.2 (HIGH). An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environm...
How severe is CVE-2025-14503?
CVE-2025-14503 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14503?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Harmonix.