Dark C0d3rs

Full Version: HackerOne Disclosed Reports - 2026-07-06
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Logo
High
resolved

OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)


Bug reported by Kaporia515 was disclosed at July 6, 2026, 5:48 pm   |   OS Command Injection

A vulnerability was discovered in the "aws-cdk-lib" NodejsFunction that allowed for OS command injection through the unsanitized "OsCommand" helper. The vulnerability was caused by the lack of proper escaping of user-controlled data when constructing shell commands during Docker-based bundling. This could have potentially led to arbitrary code execution within the Docker container, which had access to the host filesystem through bind mounts.