CVE-2026-11417: aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow a threat actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.
References
- aws.amazon.com/security/security-bulletins/2026-041-aws
- github.com/advisories/GHSA-999r-qq7v-r334
- github.com/aws/aws-cdk/pull/37292
- github.com/aws/aws-cdk/pull/37412
- github.com/aws/aws-cdk/releases/tag/v2.245.0
- github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334
- nvd.nist.gov/vuln/detail/CVE-2026-11417
Code Behaviors & Features
Detect and mitigate CVE-2026-11417 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →