aws-cdk: CVE-2026-23745

[modosc]

Describe the bug

CVE-2026-23745 is a bug in node-tar <= 7.5.2.

aws-cdk pulls this in indirectly and because of the long dependency chain it's not possible for us to update the underlying dependency directly:

$ yarn why -R tar
│  └─ aws-cdk@npm:2.1101.0 (via npm:2.1101.0)
│     └─ fsevents@patch:fsevents@npm%3A2.3.2#optional!builtin<compat/fsevents>::version=2.3.2&hash=df0bf1 (via patch:fsevents@npm%3A2.3.2#optional!builtin<compat/fsevents>)
│        └─ node-gyp@npm:10.2.0 (via npm:latest)
│           ├─ make-fetch-happen@npm:13.0.1 (via npm:^13.0.0)
│           │  └─ cacache@npm:18.0.4 (via npm:^18.0.0)
│           │     └─ tar@npm:6.2.1 (via npm:^6.1.11)
│           └─ tar@npm:6.2.1 (via npm:^6.2.1)

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

n/a

Current Behavior

n/a

Reproduction Steps

n/a

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.235.1

AWS CDK CLI version

2.1101.0

Node.js Version

v22.11.0

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

Hi @modosc,

Thank you for reporting CVE-2026-23745. I can confirm this is a security concern affecting the tar package used transitively through the build toolchain.

Root Cause: The vulnerability comes through the dependency chain: aws-cdk → fsevents → node-gyp → make-fetch-happen → cacache → tar@6.2.1. Since tar@6.2.1 is older than the vulnerable version range (≤ 7.5.2), it is indeed affected.

Immediate Workaround: You can force a secure version using package manager resolutions:

For Yarn:

{
  "resolutions": {
    "tar": "^6.2.2"
  }
}

For npm:

{
  "overrides": {
    "tar": "^6.2.2"
  }
}

Next Steps: This requires updating our build dependencies, particularly node-gyp to a version that uses a secure tar version. I'll bring this up to the team for inputs and follow-up plan.

[pahud]

transferring to aws-cdk-cli repo.

[modosc]

Immediate Workaround: You can force a secure version using package manager resolutions:

For Yarn:

{
"resolutions": {
"tar": "^6.2.2"
}
}
For npm:

{
"overrides": {
"tar": "^6.2.2"
}
}
Next Steps: This requires updating our build dependencies, particularly node-gyp to a version that uses a secure tar version. I'll bring this up to the team for inputs and follow-up plan.

@pahud as far as i can tell this is not correct - the tar author made it clear that they are not backporting these fixes to 6.x. you may want to edit your comment so that people don't erroneously follow your advice on this.

[iankhou]

Fixed, and change released in aws-cdk@2.1103.0.