Dark C0d3rs
HackerOne Disclosed Reports - 2026-07-06 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-07-06 (/Thread-HackerOne-Disclosed-Reports-2026-07-06)



HackerOne disclosed reports - 2026-07-06 - hashXploiter - 07-07-2026

Logo
High
resolved

OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)


Bug reported by Kaporia515 was disclosed at July 6, 2026, 5:48 pm   |   OS Command Injection

A vulnerability was discovered in the "aws-cdk-lib" NodejsFunction that allowed for OS command injection through the unsanitized "OsCommand" helper. The vulnerability was caused by the lack of proper escaping of user-controlled data when constructing shell commands during Docker-based bundling. This could have potentially led to arbitrary code execution within the Docker container, which had access to the host filesystem through bind mounts.