![]() |
|
HackerOne Disclosed Reports - 2026-07-06 - Printable Version +- Dark C0d3rs (https://darkcoders.wiki) +-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log) +--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports) +--- Thread: HackerOne Disclosed Reports - 2026-07-06 (/Thread-HackerOne-Disclosed-Reports-2026-07-06) |
HackerOne disclosed reports - 2026-07-06 - hashXploiter - 07-07-2026
High
resolved OS Command Injection in `aws-cdk-lib` NodejsFunction via Unsanitized `OsCommand` Helper (Supply Chain RCE)Bug reported by Kaporia515 was disclosed at July 6, 2026, 5:48 pm | OS Command Injection A vulnerability was discovered in the "aws-cdk-lib" NodejsFunction that allowed for OS command injection through the unsanitized "OsCommand" helper. The vulnerability was caused by the lack of proper escaping of user-controlled data when constructing shell commands during Docker-based bundling. This could have potentially led to arbitrary code execution within the Docker container, which had access to the host filesystem through bind mounts. |