CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib
Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions: < 2.260.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
AI Analysis
Technical Summary
AWS CDK (aws-cdk-lib) versions prior to 2.260.0 contain an OS command injection vulnerability in the NodejsFunction Docker bundling pipeline. An attacker controlling dependency version strings in package.json can inject shell metacharacters, leading to arbitrary command execution on the host running the CDK toolchain. This vulnerability requires the use of Docker-based bundling with nodeModules specified. The issue is resolved in version 2.260.0. Mitigations include upgrading to 2.260.0 or later, using only trusted sources for dependency versions, or using local bundling instead of Docker-based bundling to avoid the vulnerable code path.
Potential Impact
An attacker who can control dependency version strings in a package.json file processed during Docker-based bundling can execute arbitrary OS commands on the host running the AWS CDK toolchain. This could lead to unauthorized code execution and potential compromise of the build environment. The impact is limited to environments using vulnerable aws-cdk-lib versions with Docker-based bundling and nodeModules specified.
Mitigation Recommendations
A fix is available in aws-cdk-lib version 2.260.0; upgrading to this version or later is the recommended remediation. As a workaround, ensure that all modules and their version strings in package.json come from trusted sources. Alternatively, use local bundling instead of Docker-based bundling to avoid the vulnerable code path. Follow the official AWS Security Bulletin for the latest guidance.
CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib
Description
Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions: < 2.260.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AWS CDK (aws-cdk-lib) versions prior to 2.260.0 contain an OS command injection vulnerability in the NodejsFunction Docker bundling pipeline. An attacker controlling dependency version strings in package.json can inject shell metacharacters, leading to arbitrary command execution on the host running the CDK toolchain. This vulnerability requires the use of Docker-based bundling with nodeModules specified. The issue is resolved in version 2.260.0. Mitigations include upgrading to 2.260.0 or later, using only trusted sources for dependency versions, or using local bundling instead of Docker-based bundling to avoid the vulnerable code path.
Potential Impact
An attacker who can control dependency version strings in a package.json file processed during Docker-based bundling can execute arbitrary OS commands on the host running the AWS CDK toolchain. This could lead to unauthorized code execution and potential compromise of the build environment. The impact is limited to environments using vulnerable aws-cdk-lib versions with Docker-based bundling and nodeModules specified.
Mitigation Recommendations
A fix is available in aws-cdk-lib version 2.260.0; upgrading to this version or later is the recommended remediation. As a workaround, ensure that all modules and their version strings in package.json come from trusted sources. Alternatively, use local bundling instead of Docker-based bundling to avoid the vulnerable code path. Follow the official AWS Security Bulletin for the latest guidance.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-050-aws/","fetched":true,"fetchedAt":"2026-07-01T19:18:35.899Z","wordCount":261}
Threat ID: 6a45680b27e9c79719fce598
Added to database: 07/01/2026, 19:18:35 UTC
Last enriched: 07/01/2026, 19:18:42 UTC
Last updated: 07/01/2026, 23:11:25 UTC
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.