PT-2026-54636 · Amazon · Aws-Cdk-Lib
Mostafa Ashraf
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-13760
CVSS v3.1
7.3
High
| Vector | AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
aws-cdk-lib versions prior to 2.260.0
Description
OS command injection exists in the NodejsFunction Docker bundling pipeline within the OsCommand helper. An actor who can control dependency version strings in a project's package.json file may execute arbitrary commands on the host running the CDK toolchain by injecting shell metacharacters into the OsCommand helper. This occurs during Docker-based bundling when nodeModules are specified.
Recommendations
Upgrade to version 2.260.0.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws-Cdk-Lib