CVE Catalog

CVE-2026-13760

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile — higher than 45% of all known CVEs

Summary

OS command injection vulnerability in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib. An attacker controlling dependency version strings in package.json can execute arbitrary commands on the CDK toolchain host via injected shell metacharacters.

Risk Assessment

The risk for the organization includes full compromise of the host running the CDK toolchain, potentially leading to data theft, malware installation, or further attacks on cloud infrastructure.

Recommendation

Immediately upgrade aws-cdk-lib to version 2.260.0 or later and verify the integrity of package.json files in projects using Docker bundling with nodeModules.

Original NVD description (English source)

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade to v2.260.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS