Skip to main content

@hulumi/drift CVE-2026-48036

HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2026-06-10 https://github.com/kerberosmansour/hulumi GHSA-32g3-35g9-wc9g
Share

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 14:20 vuln.today
Analysis Generated
Jun 10, 2026 - 14:20 vuln.today

DescriptionCVE.org

Affected: @hulumi/drift < 1.4.0 - Fixed in: 1.4.0 - Severity: Medium - CWE-755 (Improper Handling of Exceptional Conditions)

Summary

@hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted (Pulumi-state diff, provider-version change, CloudTrail event, etc.). A classifier combines the adapters' answers into a verdict like None / none, ConsoleBreakGlass / high, or Mixed / high, and caches the verdict for 6 hours by default.

Two related bugs from one root cause - the classifier only read each adapter's detected: true/false field and ignored whether the adapter itself succeeded:

  1. Cached "all clear" on adapter failure. When an adapter failed (e.g. transient network error from the Automation API), the classifier read detected: false, concluded "no drift", and cached the verdict as None / none for 6 hours. A single transient failure could mask real console-break-glass mutations for the rest of the window.
  2. Mixed verdicts without real evidence. The Mixed / high and ConsoleBreakGlass / high verdicts (incident severity) could fire on the "the CloudTrail probe round-tripped successfully" signal rather than actual evidence that anything had been changed via the console. Normal provider-API churn could end up falsely escalated to incident severity.
Impact

Consumers running drift detection in CI / cron could see transient adapter failures silently cached as "all clear" - masking real attacks for up to six hours - or see ordinary provider-version churn falsely promoted to incident severity. Either way, the verdict source was unreliable for downstream incident workflows that gate on it.

Patches

Upgrade to @hulumi/drift@1.4.0. Classifier-only fix (the TLA+-verified 6-row verdict matrix is byte-identical):

  • adapter failures now fail closed to Unknown / low, and degraded verdicts are not written to the cache;
  • the Mixed / ConsoleBreakGlass promotion now requires real CloudTrail event evidence rather than probe liveness.
Workarounds

Setting options.minConfidence: "medium" on the classifier call prevents the degraded None / none from being cached (it doesn't meet the threshold), partially mitigating case (1). No workaround for case (2).

Resources
  • PR #178 (Cluster D); regression tests in packages/drift/tests/classifier-fail-closed.test.ts.

AnalysisAI

Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.

Technical ContextAI

@hulumi/drift orchestrates four independent adapters (Pulumi-state diff, provider-version comparison, CloudTrail event probe, and one other) whose results are merged by a central classifier into a six-row verdict matrix (e.g. None/none, Mixed/high, ConsoleBreakGlass/high). The bug lies in the classifier reading only each adapter response's detected: true|false field while ignoring an associated success/error indicator - the canonical CWE-755 'Improper Handling of Exceptional Conditions' pattern. As a result, an adapter that errors out (a thrown exception or transient network failure against the Pulumi Automation API) is treated the same as an adapter that ran successfully and saw no drift, and the resulting degraded verdict is then written into the 6-hour result cache. Identified by the CPE pkg:npm/@hulumi_drift.

RemediationAI

Vendor-released patch: upgrade @hulumi/drift to 1.4.0, which is a classifier-only change that keeps the TLA+-verified 6-row verdict matrix byte-identical while making adapter failures fail closed to 'Unknown / low', refusing to write degraded verdicts into the cache, and requiring real CloudTrail event evidence (not probe liveness) before promoting to Mixed or ConsoleBreakGlass. See the advisory at https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-32g3-35g9-wc9g and the fix in https://github.com/kerberosmansour/hulumi/pull/178. As a partial workaround for the cached-all-clear case only, callers can set options.minConfidence: "medium" on the classifier call so the degraded None / none verdict no longer meets the cache threshold; the trade-off is that legitimate low-confidence clean verdicts will also stop being cached, increasing adapter call volume, and there is no workaround for the false-positive Mixed/ConsoleBreakGlass promotion case.

Share

CVE-2026-48036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy