OS Command Injection in AWS CDK Toolchain Affecting AWS
CVE-2026-11417
7HIGH
What is CVE-2026-11417?
An OS command injection vulnerability exists in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to version 2.245.0, and versions prior to 2.246.0 on Windows. This flaw can be exploited by an attacker who manipulates the values of specific bundling properties—such as externalModules, define, loader, inject, or esbuildArgs—to execute arbitrary commands on the host running the AWS CDK toolchain. To mitigate this risk, it is crucial for users to update to aws-cdk-lib 2.245.0 or newer (2.246.0 or newer on Windows).
Affected Version(s)
AWS Cloud Development Kit library 0 < 2.245.0
