@hulumi/drift CVE-2026-48036
HIGHLifecycle Timeline
2DescriptionCVE.org
Affected: @hulumi/drift < 1.4.0 - Fixed in: 1.4.0 - Severity: Medium - CWE-755 (Improper Handling of Exceptional Conditions)
Summary
@hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted (Pulumi-state diff, provider-version change, CloudTrail event, etc.). A classifier combines the adapters' answers into a verdict like None / none, ConsoleBreakGlass / high, or Mixed / high, and caches the verdict for 6 hours by default.
Two related bugs from one root cause - the classifier only read each adapter's detected: true/false field and ignored whether the adapter itself succeeded:
- Cached "all clear" on adapter failure. When an adapter failed (e.g. transient network error from the Automation API), the classifier read
detected: false, concluded "no drift", and cached the verdict asNone / nonefor 6 hours. A single transient failure could mask real console-break-glass mutations for the rest of the window. - Mixed verdicts without real evidence. The
Mixed / highandConsoleBreakGlass / highverdicts (incident severity) could fire on the "the CloudTrail probe round-tripped successfully" signal rather than actual evidence that anything had been changed via the console. Normal provider-API churn could end up falsely escalated to incident severity.
Impact
Consumers running drift detection in CI / cron could see transient adapter failures silently cached as "all clear" - masking real attacks for up to six hours - or see ordinary provider-version churn falsely promoted to incident severity. Either way, the verdict source was unreliable for downstream incident workflows that gate on it.
Patches
Upgrade to @hulumi/drift@1.4.0. Classifier-only fix (the TLA+-verified 6-row verdict matrix is byte-identical):
- adapter failures now fail closed to
Unknown / low, and degraded verdicts are not written to the cache; - the
Mixed/ConsoleBreakGlasspromotion now requires real CloudTrail event evidence rather than probe liveness.
Workarounds
Setting options.minConfidence: "medium" on the classifier call prevents the degraded None / none from being cached (it doesn't meet the threshold), partially mitigating case (1). No workaround for case (2).
Resources
- PR #178 (Cluster D); regression tests in
packages/drift/tests/classifier-fail-closed.test.ts.
AnalysisAI
Drift-detection logic flaw in the @hulumi/drift npm package (versions < 1.4.0) causes the verdict classifier to conflate adapter failure with a clean result, producing cached false-negative 'None / none' verdicts for up to six hours and false-positive incident-severity 'Mixed / high' or 'ConsoleBreakGlass / high' verdicts based on probe liveness rather than CloudTrail evidence. Consumers running drift detection in CI or cron pipelines could silently miss real console-break-glass mutations or be paged on routine provider-version churn. No public exploit identified at time of analysis; the issue is a CWE-755 improper-exception-handling defect rather than a remote attack primitive.
Technical ContextAI
@hulumi/drift orchestrates four independent adapters (Pulumi-state diff, provider-version comparison, CloudTrail event probe, and one other) whose results are merged by a central classifier into a six-row verdict matrix (e.g. None/none, Mixed/high, ConsoleBreakGlass/high). The bug lies in the classifier reading only each adapter response's detected: true|false field while ignoring an associated success/error indicator - the canonical CWE-755 'Improper Handling of Exceptional Conditions' pattern. As a result, an adapter that errors out (a thrown exception or transient network failure against the Pulumi Automation API) is treated the same as an adapter that ran successfully and saw no drift, and the resulting degraded verdict is then written into the 6-hour result cache. Identified by the CPE pkg:npm/@hulumi_drift.
RemediationAI
Vendor-released patch: upgrade @hulumi/drift to 1.4.0, which is a classifier-only change that keeps the TLA+-verified 6-row verdict matrix byte-identical while making adapter failures fail closed to 'Unknown / low', refusing to write degraded verdicts into the cache, and requiring real CloudTrail event evidence (not probe liveness) before promoting to Mixed or ConsoleBreakGlass. See the advisory at https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-32g3-35g9-wc9g and the fix in https://github.com/kerberosmansour/hulumi/pull/178. As a partial workaround for the cached-all-clear case only, callers can set options.minConfidence: "medium" on the classifier call so the degraded None / none verdict no longer meets the cache threshold; the trade-off is that legitimate low-confidence clean verdicts will also stop being cached, increasing adapter call volume, and there is no workaround for the false-positive Mixed/ConsoleBreakGlass promotion case.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-32g3-35g9-wc9g