Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mvq3-wt2a-sfaj
Vulnerability ID VCID-mvq3-wt2a-sfaj
Aliases GHSA-qc59-cxj2-c2w4
Summary aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "[constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html)," which are organized into a hierarchical tree structure. One of the features of this framework is the ability to call "[Aspects](https://docs.aws.amazon.com/cdk/v2/guide/aspects.html)," which are mechanisms to set configuration options for all AWS Resources in a particular part of the hierarchy at once. Aspect execution happens in a specific order, and the last Aspect to execute controls the final values in the template. AWS CDK version [2.172.0](https://github.com/aws/aws-cdk/releases/tag/v2.172.0) introduced a new priority system for Aspects. Prior to this version, CDK would run Aspects based on hierarchical location. The new priority system takes precedence over hierarchical location, altering the invocation order of Aspects. Different priority classes were introduced: Aspects added by CDK APIs were classified as MUTATING (priority 200), while Aspects added directly by the user were classified as DEFAULT (priority 500) unless the user specified otherwise. As a result of this change, CDK apps that use a custom Aspect to assign a default permissions boundary and then use a built-in CDK method to override it on select resources could have unexpected permissions boundaries assigned. The following is an affected code sample: ```ts Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries()); // {1} PermissionsBoundary.of(lambdaFunc).apply(...); // {2} -- uses Aspects internally ``` In versions prior to 2.172.0, the Aspect added by {2} would invoke last and assign its permissions boundary to the Lambda function role. In versions 2.172.0 and after, the Aspect added by {2} would have priority 200 while the Aspect added by {1} would have priority 500 and therefore be invoked last. The Lambda function role would get the permissions boundary of {1} assigned, which may not be what users expect.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-279 Incorrect Execution-Assigned Permissions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr LOW https://github.com/advisories/GHSA-qc59-cxj2-c2w4
cvssv3.1 2.2 https://github.com/aws/aws-cdk
generic_textual LOW https://github.com/aws/aws-cdk
cvssv3.1 2.2 https://github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef
generic_textual LOW https://github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef
cvssv3.1 2.2 https://github.com/aws/aws-cdk/releases/tag/v2.189.1
generic_textual LOW https://github.com/aws/aws-cdk/releases/tag/v2.189.1
cvssv3.1 2.2 https://github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4
cvssv3.1_qr LOW https://github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4
generic_textual LOW https://github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4
Reference id Reference type URL
https://github.com/aws/aws-cdk
https://github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef
https://github.com/aws/aws-cdk/releases/tag/v2.189.1
GHSA-qc59-cxj2-c2w4 https://github.com/advisories/GHSA-qc59-cxj2-c2w4
GHSA-qc59-cxj2-c2w4 https://github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/aws/aws-cdk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/aws/aws-cdk/commit/b7f4bc7aee1d99b70e4d9d3cedea53e910ee37ef
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/aws/aws-cdk/releases/tag/v2.189.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/aws/aws-cdk/security/advisories/GHSA-qc59-cxj2-c2w4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T16:23:49.934786+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/aws-cdk-lib/GHSA-qc59-cxj2-c2w4.yml 38.6.0