HackerOne Disclosed Reports - 2026-07-06

0 Replies, 7 Views

Logo
High
resolved

OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)


Bug reported by Kaporia515 was disclosed at July 6, 2026, 5:48 pm   |   OS Command Injection

A vulnerability was discovered in the "aws-cdk-lib" NodejsFunction that allowed for OS command injection through the unsanitized "OsCommand" helper. The vulnerability was caused by the lack of proper escaping of user-controlled data when constructing shell commands during Docker-based bundling. This could have potentially led to arbitrary code execution within the Docker container, which had access to the host filesystem through bind mounts.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]



Users browsing this thread: 1 Guest(s)