{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@hulumi/policies--1.3.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@hulumi/policies (\u003c 1.3.2)"],"_cs_severities":["medium"],"_cs_tags":["dependency-confusion","security-bypass","cloud"],"_cs_type":"advisory","_cs_vendors":["Cloudflare","Hulumi"],"content_html":"\u003cp\u003e@hulumi/policies, a package used for deployment governance and security policy enforcement, contained a vulnerability in versions prior to 1.3.2. The vulnerability stemmed from the use of stack-wide evidence shortcuts within Cloudflare and deployment-governance validators. This meant that arbitrary, compliant-looking evidence could be used to suppress violations across different Cloudflare zones, hostnames, origins, or repositories within the same stack. This vulnerability effectively bypassed intended security and governance controls, potentially allowing unauthorized or non-compliant deployments to proceed undetected. Hulumi released version 1.3.2 to address this issue, implementing stricter evidence correlation and including regression tests to prevent future bypasses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a resource within a stack protected by @hulumi/policies.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the criteria for a compliant evidence object.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a compliant evidence object, unrelated to the target resource, within the same stack.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a deployment or configuration change on the protected resource.\u003c/li\u003e\n\u003cli\u003e@hulumi/policies incorrectly uses the unrelated compliant evidence to satisfy the policy requirements of the targeted resource.\u003c/li\u003e\n\u003cli\u003eThe policy check incorrectly passes, allowing the deployment or configuration change to proceed.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses the intended security and governance controls.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized changes to the target resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in @hulumi/policies allowed attackers to bypass intended security and governance controls. This could lead to unauthorized deployments, misconfigurations, and potentially compromise the security posture of systems protected by these policies. While the specific number of affected organizations is unknown, any environment relying on @hulumi/policies prior to version 1.3.2 for Cloudflare or deployment governance was susceptible to this bypass. Successful exploitation could lead to data breaches, service disruptions, or other security incidents depending on the specific resources being protected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade @hulumi/policies to version 1.3.2 or later to remediate the vulnerability (reference: Remediation section).\u003c/li\u003e\n\u003cli\u003eReview existing deployment pipelines and security policies to ensure they are aligned with the updated version of @hulumi/policies.\u003c/li\u003e\n\u003cli\u003eEnable logging for deployment events to detect any potential unauthorized changes (reference: attack chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:50:31Z","date_published":"2026-05-21T20:50:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-policies-bypass/","summary":"@hulumi/policies versions before 1.3.2 allowed unrelated compliant-looking evidence to suppress violations for different zones, hostnames, origins, or repositories in the same stack, bypassing Cloudflare and deployment-governance guardrails.","title":"@hulumi/policies Evidence Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-hulumi-policies-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — @Hulumi/Policies (\u003c 1.3.2)","version":"https://jsonfeed.org/version/1.1"}