PT-2026-54636 · Amazon · Aws-Cdk-Lib

Mostafa Ashraf

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-13760

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions aws-cdk-lib versions prior to 2.260.0
Description OS command injection exists in the NodejsFunction Docker bundling pipeline within the OsCommand helper. An actor who can control dependency version strings in a project's package.json file may execute arbitrary commands on the host running the CDK toolchain by injecting shell metacharacters into the OsCommand helper. This occurs during Docker-based bundling when nodeModules are specified.
Recommendations Upgrade to version 2.260.0.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13760
GHSA-VCRF-J523-4MRF

Affected Products

Aws-Cdk-Lib