AIKIDO-2026-10105
@aws-amplify/cli is vulnerable to OS Command Injection
53
Medium Risk
This Affects:
@aws-amplify/cliTL;DR
Affected versions of this package are vulnerable to Arbitrary Code Execution via a command injection vulnerability in the APNS certificate P12 decoder, where a maliciously crafted P12 filename could be executed as shell code due to unsafe passing of user-provided strings to execSync. The fix replaced execSync with spawnSync to ensure strings are always treated as parameters, not executable code, and added validation to confirm the PEM file exists before access. An attacker could exploit this by providing a specially crafted filename containing shell metacharacters or commands, which would be executed in the context of the application's process when the decoder was invoked.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@aws-amplify/cli is vulnerable to OS Command Injection in versions 4.33.0 - 14.2.4.
How to fix this
Upgrade the @aws-amplify/cli library to the patch version.
Background Info
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant