terraform-cdk icon indicating copy to clipboard operation
terraform-cdk copied to clipboard
verified publisher icon hashicorp

cdktf node package: low severity vulnerability

Open peter-majeed opened this issue 6 months ago • 3 comments

Expected Behavior

A vulnerability was published 10 days ago that affects the brace-expansion project in use by the cdktf package.

https://github.com/advisories/GHSA-v6h2-p8h4-qcjw

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Image

I would expect that there would be no vulnerabilities in the most up-to-date version of cdktf.

Actual Behavior

There is a vulnerability in the most up-to-date version of cdktf.

Steps to Reproduce

  1. In a new project, install the [email protected] package.
  2. Run npm audit.

There should be no vulnerabilities.

Versions

language: typescript cdktf-cli: 0.21.0 node: v22.16.0 cdktf: 0.21.0 constructs: 10.4.2 jsii: null terraform: 1.11.3 arch: arm64 os: darwin 24.5.0

Providers

┌┐ ││ └┘

Gist

No response

Possible Solutions

No response

Workarounds

No response

Anything Else?

No response

References

https://github.com/advisories/GHSA-v6h2-p8h4-qcjw

Help Wanted

  • [ ] I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

peter-majeed avatar Jun 19 '25 16:06 peter-majeed

I have experienced the same issue when trying to upgrade from version v0.20.12 to the latest version v0.21.0 and this is preventing the upgrade

dlgeraghty avatar Jun 30 '25 09:06 dlgeraghty

This issue affects users who are using Terraform in an FedRAMP environment. As a low level vulnerability is is expected to be resolved within 120 days in FedRAMP.

rcollette avatar Aug 26 '25 15:08 rcollette

We are also affected by this vulnerability in brace-expansion as a transitive dependency of [email protected]. Unfortunately, cdktf bundles its dependencies, which prevents us from effectively overriding the brace-expansion version. We'd be glad to help test any potential fixes or contribute if there's a need to resolve this upstream.

breakpointninja avatar Dec 03 '25 09:12 breakpointninja