Home

Description

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-10 | Updated 2026-06-10 | Assigner AMZN




HIGH: 7.3CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

HIGH: 7.0CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command

Product status

Default status
unaffected

Any version before 2.245.0
affected

References

github.com/aws/aws-cdk/releases/tag/v2.245.0 patch

aws.amazon.com/security/security-bulletins/2026-041-aws/ vendor-advisory

github.com/...ws-cdk/security/advisories/GHSA-999r-qq7v-r334 third-party-advisory

cve.org (CVE-2026-11417)

nvd.nist.gov (CVE-2026-11417)

Download JSON