Intel

AIKIDO-2026-783762

aws-cdk-lib is vulnerable to OS Command Injection

OS Command InjectionCVE-2026-13760 Published Jul 2, 2026

73

High Risk

This Affects:

PYTHONaws-cdk-lib
0.0.1 - 2.259.0
Fixed in 2.260.0
Are you affected? Scan for Free

TL;DR

Affected versions of aws-cdk-lib are vulnerable to OS command injection during Docker-based NodejsFunction bundling when the nodeModules option is used. An attacker who can control dependency version strings in package.json can inject shell commands that execute with the privileges of the user running the CDK toolchain, potentially leading to arbitrary code execution on the host system.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

aws-cdk-lib is vulnerable to OS Command Injection in versions 0.0.1 - 2.259.0.

How to fix this

Upgrade the aws-cdk-lib library to the patch version.