GHSA-q2f7-m237-v562: @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

May 21, 2026

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in G_OIDC_1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail.

Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions.

Remediation: upgrade @hulumi/policies to 1.3.2 or later.

References

github.com/advisories/GHSA-q2f7-m237-v562
github.com/kerberosmansour/hulumi/security/advisories/GHSA-q2f7-m237-v562

Code Behaviors & Features

Detect and mitigate GHSA-q2f7-m237-v562 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →