Skip to main content

CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib

Bulletin ID: 2026-050-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/01/2026 12:15 PM PDT

Description:

AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.

Impacted versions: < 2.260.0

Resolution:

This issue has been addressed in aws-cdk-lib version 2.260.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Ensure that the modules listed in the nodeModules bundling option - and the version strings declared for them in your project's package.json, as well as the versions of the corresponding installed packages - come only from trusted sources. Using local bundling instead of Docker-based bundling avoids the affected code path. Upgrading to a fixed version is the recommended remediation.

References:

Acknowledgement:

We would like to thank the external reporter, Mostafa Ashraf, who collaborated on this issue through the the AWS Vulnerability Disclosure Program (coordinated vulnerability disclosure process).


Please email aws-security@amazon.com with any security questions or concerns.