OS Command Injection in NodejsFunction Bundling in aws-cdk-lib
CVE-2026-11417

7HIGH

Key Information:

Vendor

Aws

Status
Aws Cloud Development Kit Library
Vendor
CVE Published:
10 June 2026

What is CVE-2026-11417?

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.

To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Affected Version(s)

AWS Cloud Development Kit library 0 < 2.245.0

References

https://github.com/aws/aws-cdk/releases/tag/v2.245.0
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/aws-cdk/security/advisories/GHSA-9...
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.