aws-cdk-lib is vulnerable to OS Command Injection
73
High Risk
Affected versions of aws-cdk-lib are vulnerable to OS command injection during Docker-based NodejsFunction bundling when the nodeModules option is used. An attacker who can control dependency version strings in package.json can inject shell commands that execute with the privileges of the user running the CDK toolchain, potentially leading to arbitrary code execution on the host system.
You are affected if you are using a version that falls within the vulnerable range.
aws-cdk-lib is vulnerable to OS Command Injection in versions 0.0.1 - 2.259.0.
Upgrade the software.amazon.awscdk:aws-cdk-lib library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant