← back
CVE-2026-11417

OS Command Injection in NodejsFunction Bundling in aws-cdk-lib

CVSS 7 HIGHEPSS 0.9%CWE-78
In short

A vulnerability in AWS CDK's NodeJS bundling tool allows someone who can control certain bundling settings to run malicious commands on your computer when you build your application. This is dangerous because it gives attackers access to your system and sensitive data.

Technical detail

OS command injection via unsanitized bundling properties (externalModules, define, loader, inject, esbuildArgs) in NodejsFunction local bundling pipeline. Attack vector requires threat actor to control CDK application configuration; malicious shell metacharacters in affected properties are passed unsafely to shell execution during build time. Impact includes arbitrary command execution on the host running CDK toolchain with privileges of the CDK process.

Summary generated and translated by AI from the official description.
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
AWS · AWS Cloud Development Kit library
public PoCs found1
githubgithub.com/HeshamASH/CVE-2026-11417-AWS-CDK-RCE0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://aws.amazon.com/security/security-bulletins/2026-041-aws/https://github.com/aws/aws-cdk/releases/tag/v2.245.0https://github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334