CVE-2025-2598: AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects.

An issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an expiration property in the credentials object are affected by this issue. Plugins that omit the expiration property are not affected.