CVE-2025-8904 is a critical security vulnerability identified in Amazon EMR's Secret Agent component, specifically related to the handling of Kerberos credentials. The Secret Agent creates a keytab file containing sensitive Kerberos authentication keys and stores this file in the /tmp/ directory, which is typically world-readable or accessible by other users on the same system. Because the keytab file is stored in a recoverable format, any user with access to the /tmp/ directory and a separate account on the system can potentially retrieve and decrypt these credentials. This can lead to privilege escalation, allowing attackers to impersonate higher-privileged users or services within the cluster. The vulnerability affects Amazon EMR versions starting from 6.10 up to 7.4. Amazon has released a fix in version 7.5 and recommends users running intermediate versions to apply a bootstrap script and RPM files that mitigate the issue. The vulnerability is classified under CWE-257, which concerns storing passwords or credentials in a recoverable format, violating best practices for credential storage. The CVSS 4.0 base score is 9.0 (critical), reflecting the network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the severity and ease of local exploitation make this a significant threat for affected environments.

The primary impact of CVE-2025-8904 is unauthorized privilege escalation within Amazon EMR clusters. Attackers with local access can retrieve Kerberos credentials from the /tmp/ directory, decrypt them, and impersonate privileged users or services. This can lead to unauthorized access to sensitive data processed or stored within the EMR cluster, disruption of cluster operations, and potential lateral movement within the organization's network. In multi-tenant or shared environments, this vulnerability increases the risk of cross-account attacks and data breaches. The compromise of Kerberos credentials undermines the authentication mechanism, potentially allowing attackers to bypass security controls. Organizations relying on Amazon EMR for big data processing and analytics could face significant confidentiality, integrity, and availability impacts, including data exfiltration, manipulation, or denial of service. The critical CVSS score reflects the high severity and broad potential consequences of exploitation.

To mitigate CVE-2025-8904, organizations should immediately upgrade Amazon EMR clusters to version 7.5 or higher, where the vulnerability is fully addressed. For clusters running versions between 6.10 and 7.4, apply the official bootstrap script and RPM patches provided by Amazon to remediate the issue. Additionally, restrict access permissions to the /tmp/ directory to prevent unauthorized users from reading sensitive files. Implement strict user access controls and monitoring on EMR clusters to detect unusual access patterns or privilege escalations. Consider isolating EMR clusters in dedicated environments with minimal user overlap to reduce the risk of local privilege escalation. Regularly audit and rotate Kerberos credentials and keys to limit the window of exposure. Employ host-based intrusion detection systems (HIDS) to alert on suspicious file access or modifications in sensitive directories. Finally, educate administrators and users about the risks of storing credentials in recoverable formats and enforce best practices for secure credential management.