Skip to content

[Aikido] Fix 7 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#27

Closed
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-18056336-egw9
Closed

[Aikido] Fix 7 security issues in lodash, @aws-sdk/client-sts, @aws-sdk/client-cloudfront and 4 more#27
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-18056336-egw9

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Mar 3, 2026

Upgrade dependencies to fix prototype pollution in Lodash and js-yaml, ReDoS vulnerabilities in minimatch, and potential RCE risks from unsafe YAML parsing.

✅ 7 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2025-13465
 
MEDIUM
 [lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality. 
CVE-2025-64718
 
MEDIUM
 [lodash] A prototype pollution vulnerability allows attackers to modify object prototypes through malicious YAML documents, potentially enabling arbitrary code execution or application compromise when parsing untrusted input. 
AIKIDO-2025-10809
 
MEDIUM
 [lodash] A prototype pollution vulnerability in object merging allows attackers to inject malicious properties via crafted YAML input, potentially leading to remote code execution, denial of service, or other security breaches. 
CVE-2026-27904
 
LOW
 [lodash] Nested extglobs in glob patterns create regexps with catastrophic backtracking, causing severe ReDoS denial-of-service attacks with minimal input (12-byte pattern stalls for 7+ seconds). 
CVE-2026-26996
 
LOW
 [lodash] A Regular Expression Denial of Service (ReDoS) vulnerability exists when glob patterns contain many consecutive * wildcards followed by a literal character, causing exponential backtracking with O(4^N) complexity. User-controlled glob patterns can trigger hangs or extreme slowdowns, enabling denial of service attacks. 
CVE-2026-27903
 
LOW
 [lodash] A ReDoS vulnerability in glob pattern matching causes unbounded recursive backtracking with multiple GLOBSTAR segments, allowing attackers to stall the event loop for tens of seconds via crafted patterns in build tools, CI/CD pipelines, or multi-tenant systems. 
GHSA-6475-r3vj-m8vf
 
LOW
 [lodash] Invalid region values in AWS SDK configuration could allow improper routing of API calls to non-AWS hosts if an actor with environment access sets the region field to an invalid value. A validation enhancement has been implemented to ensure regions are valid host labels.

@vercel
Copy link

vercel bot commented Mar 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
cash-register-api-example-client Error Error Mar 3, 2026 11:40pm

Request Review

@aikido-autofix aikido-autofix bot closed this Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants