CVE-2026-13760
Awaiting Analysis Awaiting Analysis - Queue

AWS CDK OsCommand Helper Command Injection Vulnerability

Vulnerability report for CVE-2026-13760, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: AMZN

Description

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade toΒ v2.260.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
aws aws-cdk-lib to 2.260.0 (exc)
aws aws-cdk-lib 2.260.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13760 is an OS command injection vulnerability in the NodejsFunction Docker bundling feature of the aws-cdk-lib framework. It affects versions prior to 2.260.0 and allows an attacker who controls a dependency version string in a project's package.json file to execute arbitrary commands on the host system running the CDK toolchain.

This happens during Docker-based Lambda bundling when the nodeModules option is specified, because the version strings are interpolated into a shell command without proper escaping. The attacker must control the content of a package.json dependency version string processed during this bundling process.

The vulnerability is due to injected shell metacharacters in the OsCommand helper, which leads to command injection on the host.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary commands on the host system running the AWS CDK toolchain, potentially compromising the confidentiality, integrity, and availability of the system.

Because the attacker can run arbitrary OS commands, they could manipulate or steal sensitive data, disrupt operations, or install malicious software.

The vulnerability has a high severity score (CVSS v3.1 Base Score 7.3) reflecting its significant potential impact.

Detection Guidance

This vulnerability involves OS command injection through dependency version strings in a project's package.json file during Docker-based bundling with nodeModules specified in aws-cdk-lib versions prior to 2.260.0.

Detection would involve inspecting the package.json files for untrusted or suspicious dependency version strings that might contain shell metacharacters or injection payloads.

Additionally, monitoring the host system running the CDK toolchain for unexpected command executions or unusual Docker bundling activity could help identify exploitation attempts.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade aws-cdk-lib to version 2.260.0 or later, where this vulnerability has been fixed.

  • Upgrade aws-cdk-lib to version 2.260.0 or newer.
  • Ensure all dependencies in the nodeModules are from trusted sources and verify the integrity of dependency version strings in package.json files.
  • Consider using local bundling instead of Docker-based bundling to avoid processing untrusted version strings in the Docker environment.
Compliance Impact

The provided information does not specify how CVE-2026-13760 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart