{"uuid": "69eefbc6-285f-485d-9779-df999277ce55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11417", "type": "seen", "source": "https://gist.github.com/alon710/35567f659305b91f7bbc4ee7db5dd621", "content": "# CVE-2026-11417: CVE-2026-11417: OS Command Injection in AWS CDK NodejsFunction Bundling Pipeline\n\n> **CVSS Score:** 7.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-11417\n\n## Summary\nA critical supply-chain OS command injection vulnerability exists in the NodejsFunction local bundling pipeline within the AWS Cloud Development Kit (CDK) library (aws-cdk-lib) before version 2.245.0 (and before 2.246.0 on Windows systems). The vulnerability allows a threat actor who can control any of several bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary operating system commands on the host machine running the CDK compilation or deployment toolchain (e.g., during cdk synth, cdk deploy, or cdk diff).\n\n## TL;DR\nUnsanitized input interpolation in the AWS CDK NodejsFunction bundling component allows unauthenticated local command execution during infrastructure synthesis (cdk synth).\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-78\n- **Attack Vector**: Local\n- **CVSS Score**: 7.3 (CVSS:3.1)\n- **EPSS Score**: 0.00657 (Percentile: 46.42%)\n- **Impact**: Unauthenticated OS Command Execution\n- **Exploit Status**: Proof of Concept / Public Exploit Code Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- AWS CDK (aws-cdk-lib)\n- **aws-cdk-lib**: < 2.245.0 (Fixed in: `2.245.0`)\n- **aws-cdk-lib (Windows)**: < 2.246.0 (Fixed in: `2.246.0`)\n\n## Mitigation\n\n- Upgrade aws-cdk-lib to version 2.245.0 (Linux/macOS) or 2.246.0 (Windows) to enforce direct process spawning\n- Use container-based (Docker) bundling to isolate execution environments\n- Adopt static application security testing (SAST) tools to detect unneutralized shell strings in infrastructure definitions\n\n**Remediation Steps:**\n1. Identify all occurrences of NodejsFunction constructs in AWS CDK infrastructure repositories.\n2. Inspect bundling parameters including externalModules, loader, define, inject, and esbuildArgs for raw unescaped input.\n3. Run 'npm install aws-cdk-lib@latest' to update to a patched version.\n4. Configure pipelines to verify syntax and synthesis in non-privileged environments that restrict local file and network access.\n\n## References\n\n- [NVD CVE Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-11417)\n- [AWS Security Bulletin](https://aws.amazon.com/security/security-bulletins/2026-041-aws/)\n- [GitHub Security Advisory](https://github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334)\n- [AWS CDK Local Bundling Pull Request #37292](https://github.com/aws/aws-cdk/pull/37292)\n- [AWS CDK Windows Process Spawning Pull Request #37412](https://github.com/aws/aws-cdk/pull/37412)\n- [AWS CDK Release v2.245.0](https://github.com/aws/aws-cdk/releases/tag/v2.245.0)\n- [Public Proof of Concept Repository](https://github.com/HeshamASH/CVE-2026-11417-AWS-CDK-RCE)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-11417) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T21:41:17.000000Z"}