Skip to main content

CVE-2026-15895: OS command injection in jsii-diff in AWS jsii

Bulletin ID: 2026-057-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/15/2026 12:00 PM PDT

Description:

jsii-diff is a command line tool to compare the API differences between two jsii assemblies, and report errors if there are backwards-incompatible changes to the API. We identified CVE-2026-15895, an issue where specially formatted command line arguments can be used to execute shell commands via this tool.

Impacted versions: <1.131.0

Resolution:

This issue has been addressed in jsii-diff version 1.131.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

If you are unable to update, make sure only trusted actors can control the arguments passed to jsii-diff.

References:


Please email aws-security@amazon.com with any security questions or concerns.