Description
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.



To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
Published: 2026-06-10
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in the NodejsFunction local bundling pipeline of the AWS Cloud Development Kit library. When the value of one or more bundling properties—including externalModules, define, loader, inject, or esbuildArgs—is controlled by an adversary, the CDK build process can subject those values to the shell, allowing arbitrary command execution. The vulnerability is a classic command injection flaw (CWE-78) that can compromise the host environment if the CDK tool runs with elevated privileges.

Affected Systems

The issue affects the AWS Cloud Development Kit library on all platforms for versions prior to 2.245.0, and on Windows for versions prior to 2.246.0. Users of older aws-cdk-lib releases should verify their current version and plan an upgrade accordingly.

Risk and Exploitability

The CVSS score of 7 indicates a moderate severity. While an EPSS score is not available, the lack of a KEV listing and the local nature of the vulnerability suggest a lower exploitation likelihood. An attacker must be able to inject values into the bundling configuration of a CDK application, a condition typically limited to developers or build pipelines with access to the source. However, once achieved, the attacker can execute shell commands on the CDK host with the same privileges as the user running the tool.

Generated by OpenCVE AI on June 10, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aws-cdk-lib to version 2.245.0 (or 2.246.0 on Windows) or later
  • Review and sanitize any bundling properties such as externalModules, define, loader, inject, or esbuildArgs to ensure no unsanitized input is passed
  • Audit existing CDK projects for usages of these properties, restrict to safe defaults or remove them until patched

Generated by OpenCVE AI on June 10, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
Title OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
First Time appeared Aws
Aws aws Cloud Development Kit Library
Weaknesses CWE-78
CPEs cpe:2.3:a:aws:aws_cloud_development_kit_library:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws aws Cloud Development Kit Library
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Aws Cloud Development Kit Library
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-10T18:17:44.552Z

Reserved: 2026-06-05T19:19:07.636Z

Link: CVE-2026-11417

cve-icon Vulnrichment

Updated: 2026-06-10T18:17:41.343Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T18:16:39.940

Modified: 2026-06-10T18:35:49.083

Link: CVE-2026-11417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses