High
resolved
resolved
OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)
Bug reported by Kaporia515 was disclosed at July 6, 2026, 5:48 pm | OS Command Injection
A vulnerability was discovered in the "aws-cdk-lib" NodejsFunction that allowed for OS command injection through the unsanitized "OsCommand" helper. The vulnerability was caused by the lack of proper escaping of user-controlled data when constructing shell commands during Docker-based bundling. This could have potentially led to arbitrary code execution within the Docker container, which had access to the host filesystem through bind mounts.

