CVE-2026-11417 - aws-cdk-lib NodejsFunction bundling command injection

CVE-2026-11417 affects the NodejsFunction local bundling pipeline in aws-cdk-lib. Before the fixed releases, an actor who could control one or more bundling properties such as externalModules, define, loader, inject, or esbuildArgs could inject shell metacharacters and execute commands on the host running the CDK toolchain.

The key question is not only package version. Exposure depends on whether this repository lets untrusted pull requests, tenant input, generated config, or third-party constructs influence those bundling fields.

When to use it

  • A repository uses AWS CDK with aws-cdk-lib and NodejsFunction local bundling.
  • CDK synth, diff, test, or deploy jobs run on developer workstations, CI, or agent workspaces with cloud credentials, deployment roles, or repository tokens.
  • Bundling fields such as externalModules, define, loader, inject, or esbuildArgs can be influenced by pull requests, tenants, generated config, environment variables, or third-party constructs.
  • You need a bounded PR or triage note that upgrades aws-cdk-lib and proves untrusted data cannot become local bundling shell arguments.

Inputs

  • Package manifests, lockfiles, CDK apps, NodejsFunction constructs, construct libraries, code generators, synth/deploy workflows, CI images, SBOMs, generated reports, and deployment runbooks.
  • Resolved aws-cdk-lib versions, Windows build-host inventory, bundling field ownership, untrusted config sources, deployment credential boundaries, and third-party construct review.
  • Available package install, lint/typecheck, construct tests, synth/diff, workflow lint, container build, SBOM, and dependency/security scans.

Affected versions

  • Vulnerable: aws-cdk-lib < 2.245.0
  • Windows vulnerable floor: < 2.246.0
  • Fixed: 2.245.0+ and 2.246.0+ on Windows

Indicator-of-exposure

  • The repository resolves aws-cdk-lib below the fixed versions.
  • CDK apps use NodejsFunction local bundling.
  • Custom constructs or helper functions pass through user-controlled values to externalModules, define, loader, inject, or esbuildArgs.
  • CI or developer workstations run cdk synth, cdk diff, or cdk deploy against branches or configs that may be attacker-influenced.

Quick checks:

rg -n "NodejsFunction|externalModules|define:|loader:|inject:|esbuildArgs|bundling:" .
npm ls aws-cdk-lib
pnpm why aws-cdk-lib
yarn why aws-cdk-lib

Windows:

rg -n "NodejsFunction|externalModules|define:|loader:|inject:|esbuildArgs|bundling:" .
npm ls aws-cdk-lib
pnpm why aws-cdk-lib
yarn why aws-cdk-lib

Do not test by passing shell metacharacters into a live bundling job.

Remediation strategy

  • Upgrade aws-cdk-lib to 2.245.0+, or 2.246.0+ for Windows build hosts.
  • Remove or tightly validate any path where untrusted data can reach the affected bundling properties.
  • Audit third-party constructs, code generators, and internal wrappers around NodejsFunction for passthrough bundling arguments.
  • Prefer trusted static configuration for bundling inputs and keep CDK synth or deploy jobs separate from untrusted pull-request execution.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-11417 / GHSA-999r-qq7v-r334, a high-severity OS
command injection issue in `aws-cdk-lib` `NodejsFunction` local bundling.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades `aws-cdk-lib`, removes
  untrusted bundling argument flows, adds safe regression checks, and
  documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected CDK bundling path.

## Rules

- Scope only CVE-2026-11417 and directly related `NodejsFunction` bundling
  configuration.
- Treat cloud credentials, deployment roles, CI tokens, and synthesized
  templates as sensitive.
- Do not inject shell metacharacters into real bundling commands.
- Do not auto-merge.

## Steps

1. Inventory every `aws-cdk-lib` dependency, lockfile, CDK app, synth/deploy
   workflow, and CI image controlled here.
2. Determine whether any resolved version is below the fixed range, including
   the higher Windows floor.
3. Search for `NodejsFunction` wrappers and any passthrough of
   `externalModules`, `define`, `loader`, `inject`, or `esbuildArgs`.
4. Identify whether untrusted input, pull-request data, templates, or
   third-party constructs can influence those fields.
5. If no controlled affected bundling path exists, stop with `TRIAGE.md`.
6. Upgrade to the fixed `aws-cdk-lib` version and refresh lockfiles and
   generated dependency artifacts.
7. Remove or validate unsafe argument passthrough so only trusted static values
   reach bundling configuration.
8. Add safe regression checks that assert patched versions and reject or avoid
   untrusted bundling-field construction.
9. Add a PR body section named `CVE-2026-11417 operator actions` covering
   versions before and after, which bundling fields were audited, whether
   Windows hosts were in scope, and which deployment jobs require rollout.
10. Run relevant validation: package install, synth, tests, linting, CI lint,
    and dependency/security scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-11417 in aws-cdk-lib bundling`.

## Stop conditions

- No affected `aws-cdk-lib` runtime or controlled bundling path exists.
- Verification would require running an exploit payload through a real CDK
  bundler.
- A safe fix depends on external CDK wrappers owned by another team.

Verification - what the reviewer looks for

  • No controlled install resolves a vulnerable aws-cdk-lib version.
  • Untrusted data no longer reaches the affected bundling fields.
  • CI and deployment jobs that run CDK do not execute attacker-influenced local bundling arguments.

Output contract

  • Reviewer-ready PR upgrading aws-cdk-lib to 2.245.0+, or 2.246.0+ for Windows build hosts, with refreshed lockfiles, generated reports, SBOMs, and build images.
  • Audited NodejsFunction wrappers and constructs so only trusted static or strictly validated values reach externalModules, define, loader, inject, and esbuildArgs.
  • Safe regression checks for patched version resolution, rejected untrusted bundling-field construction, synth behavior, and credential-safe logs.
  • TRIAGE.md when the affected CDK wrapper, build host, third-party construct, or deployment workflow is outside this repository.

Watch for

  • Fixing package versions but keeping a custom wrapper that rebuilds unsafe shell fragments.
  • Overlooking Windows-specific build hosts.
  • Running CDK synth on untrusted pull requests with deployment credentials.

References