What is AWS-2025-031?

AWS-2025-031 is a security advisory published by AWS Security Bulletins. Overly Permissive Trust Policy in Harmonix on AWS EKS

Which CVE IDs does AWS-2025-031 cover?

AWS-2025-031 covers the following CVE IDs: CVE-2025-14503. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

AWS-2025-031

Overly Permissive Trust Policy in Harmonix on AWS EKS

Vendor

AWS Security Bulletins

Published

December 15, 2025

Last Modified

—

🔗 CVE IDs covered (1)

CVE-2025-14503 →

📋 Description

Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1

🔗 References (1)

advisoryhttps://aws.amazon.com/security/security-bulletins/rss/aws-2025-031/