Insufficient Technical Documentation Affecting @hulumi/baseline package, versions <1.4.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Insufficient Technical Documentation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-HULUMIBASELINE-17660549
  • published27 Jun 2026
  • disclosed10 Jun 2026
  • creditkerberosmansour

Introduced: 10 Jun 2026

NewCVE-2026-48035  (opens in a new tab)
CWE-1059  (opens in a new tab)

How to fix?

Upgrade @hulumi/baseline to version 1.4.0 or higher.

Overview

@hulumi/baseline is a Hardened Pulumi baseline components for AWS and GitHub — SecureBucket, AccountFoundation, AWS organization guardrails, secure primitives, detection foundations, SecureRepository, OrgFoundation. SLSA Build L3 attestation on every release.

Affected versions of this package are vulnerable to Insufficient Technical Documentation due to insufficient enforcement of tamper-resistance in the AccountFoundation process. An attacker can erase or modify audit logs by exploiting misconfigurations such as disabled object lock, forwarding of forceDestroy, or lack of immutability controls in sandbox deployments. This can result in the loss of forensic evidence and undetectable tampering with audit trails.

Workaround

This vulnerability can be mitigated by replicating audit logs to an Object-Locked archive bucket outside the affected account.

CVSS Base Scores

version 4.0
version 3.1