EXECUTIVE SUMMARY:
CVE-2026-11417 with a CVSS score of 7.0 is a high-severity vulnerability in the aws-cdk-lib package, specifically in versions less than 2.246.0, that allows for OS command injection in the NodejsFunction local bundling pipeline. This vulnerability can be exploited by an attacker who controls the value of one or more bundling properties, such as externalModules, define, loader, inject, or esbuildArgs, to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters, with the attack vector being local and requiring low privileges and user interaction. If successfully exploited, the attacker gains the capability to execute arbitrary commands with the privileges of the user running the CDK toolchain, which can lead to high confidentiality, integrity, and availability impact, resulting in significant business consequences, including data breaches, system compromise, and disruption of services. The prerequisites for exploitation include the attacker controlling the value of one or more affected bundling properties in the CDK application, which can occur through untrusted npm dependencies or malicious pull requests.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-11417 with a CVSS score of 7.0 is a high-severity vulnerability in the aws-cdk-lib package, specifically in versions less than 2.246.0, that allows for OS command injection in the NodejsFunction local bundling pipeline. This vulnerability can be exploited by an attacker who controls the value of one or more bundling properties, such as externalModules, define, loader, inject, or esbuildArgs, to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters, with the attack vector being local and requiring low privileges and user interaction. If successfully exploited, the attacker gains the capability to execute arbitrary commands with the privileges of the user running the CDK toolchain, which can lead to high confidentiality, integrity, and availability impact, resulting in significant business consequences, including data breaches, system compromise, and disruption of services. The prerequisites for exploitation include the attacker controlling the value of one or more affected bundling properties in the CDK application, which can occur through untrusted npm dependencies or malicious pull requests.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update aws-cdk-lib to version 2.246.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-999r-qq7v-r334