PT-2026-45225 · Npm · @Hulumi/Policies

Publicado

2026-05-21

·

Atualizado

2026-05-21

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation.
Patched in 1.3.2: the validator inspects the affected policy shapes and includes regression tests.
Remediation: upgrade @hulumi/policies to 1.3.2 or later.

Correção

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-269

Identificadores relacionados

GHSA-4XRH-5M3M-328W

Produtos afetados

@Hulumi/Policies