42 matches found
Command Injection
aws-cdk-lib is vulnerable to Command Injection. The vulnerability is due to improper sanitization of user-controlled bundling properties in the NodejsFunction local bundling pipeline, which allows an attacker to inject shell metacharacters and execute arbitrary commands on the host running the CD...
EUVD-2026-36076
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling...
GHSA-999R-QQ7V-R334 aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
Summary AWS CDK aws-cdk-lib is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow a threat actor who...
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
Summary AWS CDK aws-cdk-lib is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow a threat actor who...
Command Injection
Overview aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Command Injection via the NodejsFunction local bundling pipeline, when an attacker controls the value of one or more of the properties externalModules, define, loader,...
CVE-2026-11417
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow an actor who controls the value of one or more bundling properties externalModules, define, loader, inject, or esbuildArgs to execute arbitrary commands on the host...
CVE-2026-11417 OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow an actor who controls the value of one or more bundling properties externalModules, define, loader, inject, or esbuildArgs to execute arbitrary commands on the host...
CVE-2026-11417 OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow an actor who controls the value of one or more bundling properties externalModules, define, loader, inject, or esbuildArgs to execute arbitrary commands on the host...
CVE-2026-11417
OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib (pre-2.245.0; 2.246.0 on Windows) allows a threat actor who controls bundling properties (externalModules, define, loader, inject, esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via...
PT-2026-48489
Name of the Vulnerable Software and Affected Versions aws-cdk-lib versions prior to 2.245.0 aws-cdk-lib versions prior to 2.246.0 Windows Description OS command injection exists in the NodejsFunction local bundling pipeline. An actor who controls the value of one or more bundling...
Malicious code in json-bundling (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61f19cbc17dc9182ab2266b7b505dedb74da2b797aa6661669f53efd1b86777a The package json-bundling was found to contain malicious code. Source: ghsa-malware debc855dc41e080d6afbfd087c2a01d8d9e5fac885734e59fb2e1adb870d6198...
Malicious Package
Overview json-bundling is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-1977 Malicious code in json-bundling (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 61f19cbc17dc9182ab2266b7b505dedb74da2b797aa6661669f53efd1b86777a The package json-bundling was found to contain malicious code. Source: ghsa-malware debc855dc41e080d6afbfd087c2a01d8d9e5fac885734e59fb2e1adb870d6198...
NanaZip 安全漏洞
NanaZip is a compression software open source by the M2-Team. Versions of NanaZip prior to 6.0.1630.0 contained security vulnerabilities. These vulnerabilities stemmed from a lack of boundary checks in the.NET Single File bundling header parser, which could lead to out-of-bounds heap access...
AWS VDP: Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`
Asset: aws-cdk-lib npm package, source: https://github.com/aws/aws-cdk Severity: High CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection' --- Summary The NodejsFunction construct in aws-cdk-lib/aws-lambda-nodejs constructs a shell command string...
RLSA-2023:5360 Important: nodejs:16 security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16. BZ2233891 Security Fixes: nodejs: Permissions policies can be bypassed via...
CVE-2025-66418
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...
CVE-2024-43788
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...
Information Leakage
@electron/packager is vulnerable to Information Leakage. The vulnerability is due to improper memory allocation during the bundling process, which can expose sensitive information such as environment variables or secret files...
Using block.timestamp as the deadline/expiry invites MEV
Lines of code 307 Vulnerability details Passing block.timestamp as the expiry/deadline of an operation does not mean "require immediate execution" - it means "whatever block this transaction appears in, I'm comfortable with that block's timestamp". Providing this value means that a malicious mine...