CVE-2024-10125 affects the Amazon.ApplicationLoadBalancer.Identity.AspNetCore middleware, which facilitates integration of AWS Application Load Balancer (ALB) with OpenID Connect (OIDC) authentication in ASP.NET Core environments. This middleware performs JWT signature validation but critically omits validation of the JWT issuer and signer identity. This flaw means that an attacker can craft a JWT signed by an untrusted entity and have it accepted as valid by the middleware, effectively bypassing authentication controls. The vulnerability is particularly exploitable if the ALB targets (such as EC2 instances, Fargate tasks, or containers in EKS/ECS) are exposed to the internet with public IP addresses, a configuration that AWS advises against. Since the middleware is deprecated and unsupported, no official patches exist, increasing the risk for users who continue to rely on it. The vulnerability impacts all versions of the middleware. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on integrity and limited scope. The lack of issuer validation (CWE-290) undermines the trust model of OIDC, allowing attackers to impersonate legitimate users or services. This can lead to unauthorized access to protected resources behind the ALB, potentially exposing sensitive data or enabling further lateral movement within cloud environments. No known exploits have been reported yet, but the risk remains significant in misconfigured environments.

For European organizations, this vulnerability poses a risk of unauthorized access to internal applications and services protected by ALB with OIDC authentication if they use the affected middleware and expose ALB targets publicly. Confidentiality and integrity of sensitive data could be compromised, especially in sectors with strict data protection requirements such as finance, healthcare, and government. Exploitation could lead to impersonation of legitimate users or services, enabling attackers to bypass authentication and gain access to internal systems. This could facilitate data exfiltration, service disruption, or further compromise of cloud infrastructure. The impact is amplified in multi-tenant or hybrid cloud environments common in Europe, where trust boundaries are critical. Organizations relying on deprecated middleware without active support face increased risk due to lack of patches. The medium severity rating reflects the need for careful network configuration and validation controls to prevent exploitation.

1. Immediately audit all AWS ALB configurations to ensure that targets (EC2, Fargate, EKS, ECS, Lambda) do not have public IP addresses or are not directly accessible from the internet. 2. If public exposure is necessary, implement strict network controls such as AWS Security Groups, NACLs, and WAF rules to limit access only to trusted sources. 3. Replace the deprecated Amazon.ApplicationLoadBalancer.Identity.AspNetCore middleware with supported, actively maintained alternatives that properly validate JWT issuer and signer attributes. 4. For any forked or derivative versions of the middleware, implement explicit validation to ensure the JWT signer attribute matches the ARN of the ALB in use, preventing token spoofing. 5. Employ runtime monitoring and anomaly detection to identify unusual authentication patterns or token usage. 6. Conduct regular security reviews of identity federation and token validation logic in cloud-native applications. 7. Educate development and operations teams on secure JWT handling and AWS best practices for ALB deployment. 8. Consider implementing additional layers of authentication or authorization checks downstream of the ALB to mitigate risks from token spoofing.