js · aws-cdk-libCritical
aws-cdk-lib: OS command injection in NodejsFunction bundling pipeline
OS command injection in NodejsFunction local bundling pipeline in aws-cdk-lib before 2.
What changed
OS command injection in NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) allows arbitrary command execution via shell metacharacters in bundling properties (externalModules, define, loader, inject, esbuildArgs).
Who it affects
Users of aws-cdk-lib < 2.245.0 (or < 2.246.0 on Windows) who use NodejsFunction with bundling properties that may be controlled by untrusted sources (e.g., third-party constructs, pull requests).
What to do today
Upgrade aws-cdk-lib to version 2.245.0 or later (2.246.0 on Windows) to fix the shell injection vulnerability.
The trail
Collected→
Audited→
Written→
Published