HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11417Published Modified CNA AMZN

CVE-2026-11417: OS Command Injection in NodejsFunction Bundling in aws-cdk-lib

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Metrics

CVSS v4.0
7.0
Severity
HIGH
Fixed in
2.245.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib allows an attacker who controls one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to inject shell metacharacters and run arbitrary commands on the host executing the CDK toolchain. The attack requires local access to the host and a low-privilege account, plus a user action to trigger the bundling pipeline, but no special privilege escalation beyond that. Successful exploitation gives the attacker full read, write, and crash capabilities against the host process. A patched-image rebuild at aws-cdk-lib 2.245.0 (2.246.0 on Windows) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11417 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle aws-cdk-lib directly. Any image whose manifest or dependency tree references an aws-cdk-lib version below 2.245.0 (or below 2.246.0 on Windows) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.0 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each environment's compliance policy to reflect local risk tolerance. Triage results are routable to the appropriate team inbox within each customer organization based on registry ownership and policy rules.

Available
Patch

A patched-image rebuild pinned to aws-cdk-lib 2.245.0 (or 2.246.0 on Windows) is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite against the new image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host running the CDK toolchain; no network-facing service is exposed.

  • AuthenticationRequired

    Any low-privilege account on the host is sufficient; no admin or elevated credentials are required.

  • Victim interactionRequired

    A user must trigger the NodejsFunction bundling pipeline (for example, by running a CDK synth or deploy command) for the injected shell metacharacters to execute.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker controls at least one of the affected bundling properties; no race conditions or special memory layout are required.

Blast Radius

  • Reads files and environment variables accessible to the CDK toolchain process, including credentials, secrets, and source code on the build host.
  • Writes or overwrites files on the host, enabling persistence mechanisms or corruption of build artifacts.
  • Executes arbitrary processes under the identity of the CDK toolchain user, allowing lateral movement within the build environment.
  • Crashes or disrupts the CDK toolchain process, blocking infrastructure deployments.

How HarborGuard Handles This

Available on HarborGuard: images containing aws-cdk-lib below 2.245.0 (2.246.0 on Windows) are detectable immediately upon CVE ingestion, with matching running against all registries and CI pipeline images a customer has connected. Where compliance policy permits, auto-remediation is capable of rebuilding the image at the fixed version, running a regression test pass, and opening a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who prefer manual remediation or whose compliance policy requires human approval, HarborGuard surfaces the finding with the exact package version and image layer location needed to prioritize the upgrade. Because exploitation requires an attacker to control a bundling property value inside the CDK application, teams that review and restrict third-party contributions to CDK application configuration can reduce exposure while the upgrade is scheduled.

See how HarborGuard automates this

Fix available

2.245.0
Patch commits
Affected packages
  • AWS / AWS Cloud Development Kit library
    < 2.245.0 (from 0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References