Command Injection

aws-cdk-lib is vulnerable to Command Injection. The vulnerability is due to improper sanitization of user-controlled bundling properties in the NodejsFunction local bundling pipeline, which allows an attacker to inject shell metacharacters and execute arbitrary commands on the host running the CD...

CVE-2026-11417

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow an actor who controls the value of one or more bundling properties externalModules, define, loader, inject, or esbuildArgs to execute arbitrary commands on the host...

CVE-2026-11417 OS Command Injection in NodejsFunction Bundling in aws-cdk-lib

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow an actor who controls the value of one or more bundling properties externalModules, define, loader, inject, or esbuildArgs to execute arbitrary commands on the host...

CVE-2026-11417

OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib (pre-2.245.0; 2.246.0 on Windows) allows a threat actor who controls bundling properties (externalModules, define, loader, inject, esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via...

AWS Cloud Development Kit 操作系统命令注入漏洞

AWS Cloud Development Kit is an open-source software development framework developed by Amazon Web Services. It is used to define cloud infrastructure in code and configure it using AWS CloudFormation. Versions of the AWS Cloud Development Kit prior to 2.245.0 contained a vulnerability related to...

AWS VDP: Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`

Asset: aws-cdk-lib npm package, source: https://github.com/aws/aws-cdk Severity: High CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection' --- Summary The NodejsFunction construct in aws-cdk-lib/aws-lambda-nodejs constructs a shell command string...

CVE-2025-23206

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

CVE-2023-50253

Laf is a cloud development platform. In the Laf version design, the log uses communication with k8s to quickly retrieve logs from the container without the need for additional storage. However, in version 1.0.0-beta.13 and prior, this interface does not verify the permissions of the pod, which...

EUVD-2025-7239

Malicious code in bioql PyPI...

EUVD-2023-1884

Malicious code in bioql PyPI...

EUVD-2024-2637

Malicious code in bioql PyPI...

EUVD-2025-0113

Malicious code in bioql PyPI...

EUVD-2023-55068

Malicious code in bioql PyPI...

Coder 代码问题漏洞

Coder is an application from Coder Inc. that allows for the setup of development environments in public or private cloud infrastructures. A code issue vulnerability exists in Coder versions 2.24.3 and earlier and 2.25.0 through 2.25.1, which stems from mishandling of sessions and could lead to...

The vulnerability of the IBM Cloud DevOps server’s Jenkins plugin, related to the storage of keys in an open manner, allows a hacker to gain unauthorized access to protected information.

The vulnerability of the IBM Cloud DevOps server’s Jenkins plugin lies in the fact that keys are stored publicly in the config.xml file. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected information...

CVE-2024-45037

The AWS Cloud Development Kit CDK is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer’s AWS account. CDK contains pre-built components called...

GHSA-QC59-CXJ2-C2W4 aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role

Summary The AWS Cloud Development Kit AWS CDK is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "constructs," which are...

PT-2025-19363 · Npm · Aws-Cdk-Lib

Summary The AWS Cloud Development Kit AWS CDK is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "constructs," which are...

CVE-2025-2598

When the AWS Cloud Development Kit AWS CDK Command Line Interface AWS CDK CLI is used with a credential plugin which returns an expiration property with the retrieved AWS credentials, the credentials are printed to the console output. To mitigate this issue, users should upgrade to version 2.178....

@aws-cdk/integ-runner (>=2.172.0-alpha.0 <=2.178.1-alpha.0), @bifravst/http-api-mock (>=2.1.97 <=2.1.144) +4 more potentially affected by CVE-2025-2598 via aws-cdk (>=2.172.0 <=2.178.1)

aws-cdk NPM version =2.172.0, =2.172.0-alpha.0, =2.1.97, =4.3.190, =3.2.25, =2.172.0, =2.178.1 Source cves: CVE-2025-2598 Source advisory: OSV:GHSA-V63M-X9R9-8GQP...