{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@hulumi/drift--1.3.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@hulumi/drift (\u003c 1.3.2)","github.com"],"_cs_severities":["high"],"_cs_tags":["supply-chain","vulnerability","npm"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003e@hulumi/drift, a package available on npm and used in the \u003ccode\u003ekerberosmansour/hulumi\u003c/code\u003e repository, was found to have a vulnerability where it could accept externally supplied execute plans without properly validating their provenance. This issue, affecting versions prior to 1.3.2, allows potentially unsafe reconciliation input to be processed as trusted, posing a risk to applications utilizing this package. Version 1.3.2 introduces enhanced execute-plan handling with provenance validation and regression coverage. This vulnerability could allow attackers to manipulate the reconciliation process, potentially leading to unintended or malicious outcomes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis attack chain describes the potential exploitation of the vulnerability where @hulumi/drift accepts externally supplied execute plans without proper validation.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious execute plan designed to manipulate the reconciliation process.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies the crafted execute plan to an application using a vulnerable version of @hulumi/drift.\u003c/li\u003e\n\u003cli\u003e@hulumi/drift, lacking sufficient provenance checks, accepts the externally supplied execute plan.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious execute plan, treating it as a trusted input.\u003c/li\u003e\n\u003cli\u003eThe reconciliation process is influenced by the attacker\u0026rsquo;s crafted plan, leading to unintended consequences.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data manipulation, privilege escalation, or denial of service, depending on the application\u0026rsquo;s functionality and the scope of the reconciliation process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to a compromise of the integrity of applications using the vulnerable versions of @hulumi/drift. By supplying malicious execute plans, attackers can manipulate the reconciliation process, potentially leading to unauthorized data modification or unintended system behavior. This could have significant consequences for applications relying on the integrity of the reconciliation process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @hulumi/drift to version 1.3.2 or later to remediate the vulnerability as advised in the GitHub Advisory \u003ca href=\"https://github.com/advisories/GHSA-2ffm-hxrq-qqmm\"\u003eGHSA-2ffm-hxrq-qqmm\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional input validation and sanitization measures within applications using @hulumi/drift to further mitigate the risk of malicious input.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:45:34Z","date_published":"2026-05-21T20:45:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-drift-execute-plan/","summary":"@hulumi/drift versions before 1.3.2 could accept externally supplied execute plans without sufficient provenance checks, allowing unsafe reconciliation input to be treated as trusted; upgrade to version 1.3.2 or later to resolve this vulnerability.","title":"@hulumi/drift Orphan Reconciler Accepts Externally Supplied Execute Plans","url":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-drift-execute-plan/"}],"language":"en","title":"CraftedSignal Threat Feed — @Hulumi/Drift (\u003c 1.3.2)","version":"https://jsonfeed.org/version/1.1"}