Skip to content

aws-cdk-lib-2.254.0.tgz: 3 vulnerabilities (highest severity is: 7.5) #6944

Description

@mend-for-github-com
Vulnerable Library - aws-cdk-lib-2.254.0.tgz

Version 2 of the AWS Cloud Development Kit library

Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz

Path to dependency file: /testing/aws-testing-cdk/package.json

Path to vulnerable library: /testing/aws-testing-cdk/package.json

Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (aws-cdk-lib version) Remediation Possible**
CVE-2026-13676 High 7.5 fast-uri-3.1.2.tgz Transitive N/A*
CVE-2026-13149 High 7.5 brace-expansion-5.0.6.tgz Transitive N/A*
CVE-2026-13760 High 7.3 aws-cdk-lib-2.254.0.tgz Direct 2.260.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-13676

Vulnerable Library - fast-uri-3.1.2.tgz

Dependency-free RFC 3986 URI toolbox

Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz

Path to dependency file: /testing/aws-testing-cdk/package.json

Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json

Dependency Hierarchy:

  • aws-cdk-lib-2.254.0.tgz (Root Library)
    • table-6.9.0.tgz
      • ajv-8.18.0.tgz
        • fast-uri-3.1.2.tgz (Vulnerable Library)

Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480

Found in base branch: main

Vulnerability Details

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.

Publish Date: 2026-06-29

URL: CVE-2026-13676

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4c8g-83qw-93j6

Release Date: 2026-06-29

Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1

CVE-2026-13149

Vulnerable Library - brace-expansion-5.0.6.tgz

Brace expansion as known from sh/bash

Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz

Path to dependency file: /testing/aws-testing-cdk/package.json

Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json

Dependency Hierarchy:

  • aws-cdk-lib-2.254.0.tgz (Root Library)
    • minimatch-10.2.5.tgz
      • brace-expansion-5.0.6.tgz (Vulnerable Library)

Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480

Found in base branch: main

Vulnerability Details

brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.

Publish Date: 2026-06-30

URL: CVE-2026-13149

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-06-30

Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7

CVE-2026-13760

Vulnerable Library - aws-cdk-lib-2.254.0.tgz

Version 2 of the AWS Cloud Development Kit library

Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz

Path to dependency file: /testing/aws-testing-cdk/package.json

Path to vulnerable library: /testing/aws-testing-cdk/package.json

Dependency Hierarchy:

  • aws-cdk-lib-2.254.0.tgz (Vulnerable Library)

Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480

Found in base branch: main

Vulnerability Details

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.
To remediate this issue, users should upgrade to v2.260.0.

Publish Date: 2026-07-01

URL: CVE-2026-13760

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vcrf-j523-4mrf

Release Date: 2026-07-01

Fix Resolution: 2.260.0

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Unplanned

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions