CVE-2026-11417 - aws-cdk-lib NodejsFunction bundling command injection
CVE-2026-11417 affects the NodejsFunction local bundling pipeline in
aws-cdk-lib. Before the fixed releases, an actor who could control one or
more bundling properties such as externalModules, define, loader,
inject, or esbuildArgs could inject shell metacharacters and execute
commands on the host running the CDK toolchain.
The key question is not only package version. Exposure depends on whether this repository lets untrusted pull requests, tenant input, generated config, or third-party constructs influence those bundling fields.
When to use it
- A repository uses AWS CDK with
aws-cdk-libandNodejsFunctionlocal bundling. - CDK synth, diff, test, or deploy jobs run on developer workstations, CI, or agent workspaces with cloud credentials, deployment roles, or repository tokens.
- Bundling fields such as
externalModules,define,loader,inject, oresbuildArgscan be influenced by pull requests, tenants, generated config, environment variables, or third-party constructs. - You need a bounded PR or triage note that upgrades
aws-cdk-liband proves untrusted data cannot become local bundling shell arguments.
Inputs
- Package manifests, lockfiles, CDK apps,
NodejsFunctionconstructs, construct libraries, code generators, synth/deploy workflows, CI images, SBOMs, generated reports, and deployment runbooks. - Resolved
aws-cdk-libversions, Windows build-host inventory, bundling field ownership, untrusted config sources, deployment credential boundaries, and third-party construct review. - Available package install, lint/typecheck, construct tests, synth/diff, workflow lint, container build, SBOM, and dependency/security scans.
Affected versions
- Vulnerable:
aws-cdk-lib < 2.245.0 - Windows vulnerable floor:
< 2.246.0 - Fixed:
2.245.0+and2.246.0+on Windows
Indicator-of-exposure
- The repository resolves
aws-cdk-libbelow the fixed versions. - CDK apps use
NodejsFunctionlocal bundling. - Custom constructs or helper functions pass through user-controlled values to
externalModules,define,loader,inject, oresbuildArgs. - CI or developer workstations run
cdk synth,cdk diff, orcdk deployagainst branches or configs that may be attacker-influenced.
Quick checks:
rg -n "NodejsFunction|externalModules|define:|loader:|inject:|esbuildArgs|bundling:" .
npm ls aws-cdk-lib
pnpm why aws-cdk-lib
yarn why aws-cdk-lib
Windows:
rg -n "NodejsFunction|externalModules|define:|loader:|inject:|esbuildArgs|bundling:" .
npm ls aws-cdk-lib
pnpm why aws-cdk-lib
yarn why aws-cdk-lib
Do not test by passing shell metacharacters into a live bundling job.
Remediation strategy
- Upgrade
aws-cdk-libto2.245.0+, or2.246.0+for Windows build hosts. - Remove or tightly validate any path where untrusted data can reach the affected bundling properties.
- Audit third-party constructs, code generators, and internal wrappers around
NodejsFunctionfor passthrough bundling arguments. - Prefer trusted static configuration for bundling inputs and keep CDK synth or deploy jobs separate from untrusted pull-request execution.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-11417 / GHSA-999r-qq7v-r334, a high-severity OS
command injection issue in `aws-cdk-lib` `NodejsFunction` local bundling.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades `aws-cdk-lib`, removes
untrusted bundling argument flows, adds safe regression checks, and
documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected CDK bundling path.
## Rules
- Scope only CVE-2026-11417 and directly related `NodejsFunction` bundling
configuration.
- Treat cloud credentials, deployment roles, CI tokens, and synthesized
templates as sensitive.
- Do not inject shell metacharacters into real bundling commands.
- Do not auto-merge.
## Steps
1. Inventory every `aws-cdk-lib` dependency, lockfile, CDK app, synth/deploy
workflow, and CI image controlled here.
2. Determine whether any resolved version is below the fixed range, including
the higher Windows floor.
3. Search for `NodejsFunction` wrappers and any passthrough of
`externalModules`, `define`, `loader`, `inject`, or `esbuildArgs`.
4. Identify whether untrusted input, pull-request data, templates, or
third-party constructs can influence those fields.
5. If no controlled affected bundling path exists, stop with `TRIAGE.md`.
6. Upgrade to the fixed `aws-cdk-lib` version and refresh lockfiles and
generated dependency artifacts.
7. Remove or validate unsafe argument passthrough so only trusted static values
reach bundling configuration.
8. Add safe regression checks that assert patched versions and reject or avoid
untrusted bundling-field construction.
9. Add a PR body section named `CVE-2026-11417 operator actions` covering
versions before and after, which bundling fields were audited, whether
Windows hosts were in scope, and which deployment jobs require rollout.
10. Run relevant validation: package install, synth, tests, linting, CI lint,
and dependency/security scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-11417 in aws-cdk-lib bundling`.
## Stop conditions
- No affected `aws-cdk-lib` runtime or controlled bundling path exists.
- Verification would require running an exploit payload through a real CDK
bundler.
- A safe fix depends on external CDK wrappers owned by another team.
Verification - what the reviewer looks for
- No controlled install resolves a vulnerable
aws-cdk-libversion. - Untrusted data no longer reaches the affected bundling fields.
- CI and deployment jobs that run CDK do not execute attacker-influenced local bundling arguments.
Output contract
- Reviewer-ready PR upgrading
aws-cdk-libto2.245.0+, or2.246.0+for Windows build hosts, with refreshed lockfiles, generated reports, SBOMs, and build images. - Audited
NodejsFunctionwrappers and constructs so only trusted static or strictly validated values reachexternalModules,define,loader,inject, andesbuildArgs. - Safe regression checks for patched version resolution, rejected untrusted bundling-field construction, synth behavior, and credential-safe logs.
TRIAGE.mdwhen the affected CDK wrapper, build host, third-party construct, or deployment workflow is outside this repository.
Watch for
- Fixing package versions but keeping a custom wrapper that rebuilds unsafe shell fragments.
- Overlooking Windows-specific build hosts.
- Running CDK synth on untrusted pull requests with deployment credentials.
Related recipes
- CVE-2026-10796 nvm mirror version command injection
- Critical infrastructure secure context
- Source code supply-chain build integrity audit
References
- AWS bulletin: https://aws.amazon.com/security/security-bulletins/2026-041-aws/
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-11417
- GitHub Advisory Database: https://github.com/advisories/GHSA-999r-qq7v-r334