Skip to content

[Aikido] Fix 7 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#26

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-17677296-sZ7K
Closed

[Aikido] Fix 7 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#26
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-17677296-sZ7K

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Feb 28, 2026

Upgrade dependencies to fix critical DoS vulnerabilities in minimatch (ReDoS, catastrophic backtracking), prototype pollution in lodash and js-yaml, and AWS SDK security issues.

✅ 7 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-27903
 
HIGH
 [lodash] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, allowing attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems. 
CVE-2026-27904
 
LOW
 [lodash] Nested extglobs in glob patterns create regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input (12-byte pattern stalls for 7+ seconds). 
CVE-2026-26996
 
LOW
 [lodash] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. User-controlled glob patterns can trigger hangs or extreme slowdowns, enabling denial of service attacks. 
CVE-2025-13465
 
MEDIUM
 [lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality. 
CVE-2025-64718
 
MEDIUM
 [lodash] A prototype pollution vulnerability allows attackers to modify object prototypes through malicious YAML documents, potentially enabling arbitrary code execution or application compromise when parsing untrusted input. 
AIKIDO-2025-10809
 
MEDIUM
 [lodash] A prototype pollution vulnerability in object merging allows attackers to inject malicious properties via crafted YAML input, potentially leading to remote code execution, denial of service, or other security breaches. 
GHSA-6475-r3vj-m8vf
 
LOW
 [lodash] Invalid region values in AWS SDK configuration could allow improper routing of API calls to non-AWS hosts if an actor with environment access sets the region field to an invalid value. A validation enhancement has been implemented to ensure regions are valid host labels.

@vercel
Copy link

vercel bot commented Feb 28, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cash-register-api-example-client Building Building Preview, Comment Feb 28, 2026 11:46pm

Request Review

@aikido-autofix aikido-autofix bot closed this Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants