Vulnerable Library - aws-cdk-lib-2.254.0.tgz
Version 2 of the AWS Cloud Development Kit library
Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Vulnerabilities
| Vulnerability |
Severity |
CVSS |
Dependency |
Type |
Fixed in (aws-cdk-lib version) |
Remediation Possible** |
| CVE-2026-13676 |
High |
7.5 |
fast-uri-3.1.2.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-13149 |
High |
7.5 |
brace-expansion-5.0.6.tgz |
Transitive |
N/A* |
❌ |
| CVE-2026-13760 |
High |
7.3 |
aws-cdk-lib-2.254.0.tgz |
Direct |
2.260.0 |
✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-13676
Vulnerable Library - fast-uri-3.1.2.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json
Dependency Hierarchy:
- aws-cdk-lib-2.254.0.tgz (Root Library)
- table-6.9.0.tgz
- ajv-8.18.0.tgz
- ❌ fast-uri-3.1.2.tgz (Vulnerable Library)
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Publish Date: 2026-06-29
URL: CVE-2026-13676
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4c8g-83qw-93j6
Release Date: 2026-06-29
Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1
CVE-2026-13149
Vulnerable Library - brace-expansion-5.0.6.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json
Dependency Hierarchy:
- aws-cdk-lib-2.254.0.tgz (Root Library)
- minimatch-10.2.5.tgz
- ❌ brace-expansion-5.0.6.tgz (Vulnerable Library)
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Publish Date: 2026-06-30
URL: CVE-2026-13149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7
CVE-2026-13760
Vulnerable Library - aws-cdk-lib-2.254.0.tgz
Version 2 of the AWS Cloud Development Kit library
Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json
Dependency Hierarchy:
- ❌ aws-cdk-lib-2.254.0.tgz (Vulnerable Library)
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.
To remediate this issue, users should upgrade to v2.260.0.
Publish Date: 2026-07-01
URL: CVE-2026-13760
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vcrf-j523-4mrf
Release Date: 2026-07-01
Fix Resolution: 2.260.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Version 2 of the AWS Cloud Development Kit library
Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - fast-uri-3.1.2.tgz
Dependency-free RFC 3986 URI toolbox
Library home page: https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.2.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json
Dependency Hierarchy:
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode (IDN) hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize() and equal() still return values that differ from a WHATWG-compatible URL parser. Applications that use fast-uri to enforce host-based policy (denylists, loopback filtering, redirect validation, outbound proxy routing) before passing the same URL to Node's URL or fetch can be bypassed when the two implementations resolve the same input to different hosts. Patches: upgrade to fast-uri 3.1.3 for the 3.x line or 4.0.1 for the 4.x line. Workarounds: enforce host policy using the same URL parser used for the actual request, or reject non-ASCII hosts before policy checks.
Publish Date: 2026-06-29
URL: CVE-2026-13676
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4c8g-83qw-93j6
Release Date: 2026-06-29
Fix Resolution: fast-uri - 3.1.3,fast-uri - 4.0.1
Vulnerable Library - brace-expansion-5.0.6.tgz
Brace expansion as known from sh/bash
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json,/release/staging-resources-cdk/package.json
Dependency Hierarchy:
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
brace-expansion through 5.0.6 is vulnerable to denial of service. The expand() function exhibits exponential-time complexity in the number of consecutive non-expanding '{}' brace groups. An attacker who passes a crafted string to expand(), directly or transitively, can cause significant CPU consumption and event-loop blocking. The max option does not mitigate this, as it bounds the output size rather than the recursion work.
Publish Date: 2026-06-30
URL: CVE-2026-13149
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-30
Fix Resolution: brace-expansion - 5.0.7,https://github.com/juliangruber/brace-expansion.git - v5.0.7
Vulnerable Library - aws-cdk-lib-2.254.0.tgz
Version 2 of the AWS Cloud Development Kit library
Library home page: https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.254.0.tgz
Path to dependency file: /testing/aws-testing-cdk/package.json
Path to vulnerable library: /testing/aws-testing-cdk/package.json
Dependency Hierarchy:
Found in HEAD commit: eaca0240768d03d4229f0aa93390488d93c04480
Found in base branch: main
Vulnerability Details
OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.
To remediate this issue, users should upgrade to v2.260.0.
Publish Date: 2026-07-01
URL: CVE-2026-13760
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vcrf-j523-4mrf
Release Date: 2026-07-01
Fix Resolution: 2.260.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.