BucketDeployment uses AwsCliLayer with vulnerable urllib3 2.5.0

[bissli82]

Describe the bug

Problem:
The BucketDeployment construct in aws-cdk-lib/aws-s3-deployment uses AwsCliLayer, which bundles urllib3 2.5.0. This version has known CVEs that are fixed in urllib3 2.6.x.

CVE-2025-66471
CVE-2025-66418

Root Cause:
BucketDeployment hardcodes AwsCliLayer in its constructor
AwsCliLayer uses @aws-cdk/asset-awscli-v1@2.2.242
The layer's requirements.txt only specifies awscli==1.43.15
This installs urllib3 2.5.0 as a transitive dependency (vulnerable)

Impact:
All CDK users using BucketDeployment are affected
The layer cannot be overridden or customized
Security scanners flag this as a vulnerability

Flow:

// node_modules/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.js (minified) class BucketDeployment { constructor(scope, id, props) { // Creates a Lambda function for deployment const handler = new BucketDeploymentSingletonFunction(this, "CustomResourceHandler", { uuid: this.renderSingletonUuid(...), layers: [new AwsCliLayer(this, "AwsCliLayer")], // ← HARDCODED HERE environment: {...}, lambdaPurpose: "Custom::CDKBucketDeployment", timeout: Duration.minutes(15), ... }); } }

// node_modules/aws-cdk-lib/lambda-layer-awscli/lib/awscli-layer.js class AwsCliLayer extends LayerVersion { constructor(scope, id) { super(scope, id, { code: lambda.Code.fromAsset(ASSET_FILE, { assetHash: FileSystem.fingerprint(LAYER_SOURCE_DIR) }), description: "/opt/awscli/aws" }); } }

node_modules/@aws-cdk/asset-awscli-v1/ ├── package.json (version: 2.2.242) ├── lib/ │ └── layer.zip ← Pre-built Lambda layer └── layer/ ├── requirements.txt ← awscli==1.40.40 ├── Dockerfile └── build.sh

awscli==1.43.15

BucketDeployment Lambda Function ↓ Uses AwsCliLayer ↓ Runs: /opt/awscli/aws s3 sync ... ↓ Uses urllib3 2.5.0 (has CVEs)

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

2.232.2

Expected Behavior

Expected - layer to be secured - using awscliv2 - getting an up to date urllib

Current Behavior

BucketDeployment (aws-cdk-lib)
↓
Creates Lambda Function with AwsCliLayer
↓
AwsCliLayer contains urllib3 2.5.0 (CVE)

Reproduction Steps

BucketDeployment (aws-cdk-lib)
↓
Creates Lambda Function with AwsCliLayer
↓
AwsCliLayer contains urllib3 2.5.0 (CVE)

Possible Solution

layer to be secured - using awscliv2 - getting an up to date urllib

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

aws-cdk-lib@2.232.2

AWS CDK CLI version

2.1100.1 (build db19110)

Node.js Version

v22.20.0

OS

15.7.2 (24G325)

Language

TypeScript

Language Version

TypeScript (5.4.3)

Other information

No response

[pahud]

Hi @bissli82,

Thanks for reporting this. The analysis appears correct - @aws-cdk/asset-awscli-v1 pins awscli==1.43.15 but doesn't pin urllib3, allowing pip to resolve to vulnerable versions (2.5.x) at build time.

I see you've also filed cdklabs/awscdk-asset-awscli#1333 - that's the right place for the fix (adding urllib3>=2.6.0 to requirements.txt).

I am reaching out to the maintainer immediately for review and take actions if necessary.

[gasolima]

The only attack scenario that is possible to use this vulnerability is coming from uploading files/folder from untrusted place, which can't be the case when using BucketDeployment since the files/folders by nature must be coming from a trusted source to this customer.
Because of this I'm treating it as low security concern.

In the meantime i understand that's better to fix the vulnerable packages, so i can come tomorrow by the ETA for fixing this.

[gasolima]

We plan to push a release within the next two weeks. Please let us know if there is any urgent reason to expedite this timeline.