OS Command Injection in AWS CDK Library Impacting Node.js Functions
CVE-2026-13760
7HIGH
What is CVE-2026-13760?
A critical vulnerability exists in the aws-cdk-lib that allows for OS command injection through the Node.js function Docker bundling pipeline. An attacker capable of manipulating the dependency version strings in a project's package.json can leverage this flaw to execute arbitrary commands on the host operating the AWS Cloud Development Kit (CDK) toolchain. This exploitation is made possible by injecting shell metacharacters into the OsCommand helper during Docker-based bundling. Users are urged to apply the patch provided in version 2.260.0 to mitigate the potential risks associated with this vulnerability.
Affected Version(s)
AWS CDK 0 < 2.260.0
