AWS Lambda - 8 CVEs (Page 1/1)

About “AWS Lambda”

A curated feed of “AWS Lambda”-related CVEs appears below. We currently track 8 CVEs for this tag (all time). In the last 365 days, 2 were published. Average CVSS is 6.9 (all time; 7.8 over 365d), and 62% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-290 - Authentication Bypass by Spoofing, CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection').

In our taxonomy this topic maps to a LOW impact class. Cloud and managed service CVEs involve shared responsibility. Check provider bulletins to confirm tenant actions, limit exposure, and rotate keys if advised. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: aws-lambda

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL
ruby4.0	2026-04-30	-	2029-03-31	2029-05-31
dotnet10	2026-01-08	-	2028-11-14	2029-01-15
nodejs24.x	2025-11-25	-	2028-04-30	2028-07-01
python3.14	2025-11-18	-	2029-06-30	2029-08-31
java25	2025-11-14	-	2029-06-30	2029-08-31
ruby3.4	2025-03-27	-	2028-03-31	2028-05-31
dotnet9	2024-12-09	-	2026-11-10	-
nodejs22.x	2024-11-22	-	2027-04-30	2027-07-01
python3.13	2024-11-14	-	2029-06-30	2029-08-31
ruby3.3	2024-04-04	-	2027-03-31	2027-05-31
dotnet8	2024-02-22	-	2026-11-10	2027-03-03
python3.12	2023-12-14	-	2028-10-31	2029-01-10
java21	2023-11-17	-	2029-06-30	2029-08-31
nodejs20.x	2023-11-15	-	2026-04-30	2027-03-03
provided.al2023	2023-11-10	-	2029-06-30	2029-08-31
python3.11	2023-07-27	-	2027-06-30	2027-08-31
ruby3.2	2023-06-07	-	2026-03-31	2027-03-03
java17	2023-04-27	-	2027-06-30	2027-08-31
python3.10	2023-04-18	-	2026-10-31	2027-03-03
nodejs18.x	2022-11-18	-	2025-09-01	2027-03-03
dotnet7	2022-11-15	-	2024-05-14	- Expired
nodejs16.x	2022-05-12	-	2024-06-12	2027-03-03
dotnet6	2022-02-24	-	2024-12-20	2027-03-03
python3.9	2021-08-16	-	2025-12-15	2027-03-03
nodejs14.x	2021-02-03	-	2023-12-04	2027-03-03
dotnet5.0	2020-12-02	-	2022-05-10	- Expired
java8.al2	2020-08-12	-	2027-06-30	2027-08-31
provided.al2	2020-08-12	-	2026-07-31	2027-03-03
dotnetcore3.1	2020-03-31	-	2023-04-03	2023-05-03 Expired
ruby2.7	2020-02-19	-	2023-12-07	2027-03-03
nodejs12.x	2019-11-18	-	2023-03-31	2023-04-30 Expired
python3.8	2019-11-18	-	2024-10-14	2027-03-03
java11	2019-11-18	-	2027-06-30	2027-08-31
nodejs10.x	2019-05-15	-	2021-07-30	2022-02-14 Expired
ruby2.5	2018-11-29	-	2021-07-30	2022-03-31 Expired
provided	2018-11-29	-	2024-01-08	2027-03-03
python3.7	2018-11-19	-	2023-12-04	2027-03-03
dotnetcore2.1	2018-07-09	-	2022-01-05	2022-04-13 Expired
nodejs8.10	2018-04-02	-	2020-03-06	2020-03-06 Expired
dotnetcore2.0	2018-01-15	-	2019-05-30	2019-05-30 Expired
go1.x	2018-01-15	-	2024-01-08	2027-03-03
nodejs4.3-edge	2017-07-17	-	2020-03-05	2020-04-30 Expired
python3.6	2017-04-18	-	2022-07-18	2022-08-29 Expired
nodejs6.10	2017-03-22	-	2019-08-12	2019-08-12 Expired
dotnetcore1.0	2016-12-01	-	2019-06-27	2019-07-30 Expired
nodejs4.3	2016-04-07	-	2020-03-05	2020-03-05 Expired
python2.7	2015-10-08	-	2021-07-15	2022-05-30 Expired
java8	2015-06-15	-	2024-01-08	2027-03-03
nodejs	2014-11-13	-	2016-08-30	2016-10-31 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “AWS Lambda” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-02-25

High

CVE-2026-27700

Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load B…

CVSS: 8.2 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD

2025-12-30

High

CVE-2025-69256

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulner…

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD

2024-06-11

High

CVE-2024-37293

The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, c…

CVSS: 7.5 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD

2024-02-01

Low

CVE-2024-24754

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object.…

CVSS: 3.7 CWE: CWE-436 - Interpretation Conflict View on NVD

Medium

CVE-2024-24753

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two hea…

CVSS: 4.8 CWE: CWE-436 - Interpretation Conflict View on NVD

Medium

CVE-2024-24752

CVSS: 6.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2020-01-08

Critical

CVE-2019-10777

In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD

2018-03-04

High

CVE-2018-7560

index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service (ReDoS) issue via a crafted multipart/form-data boundary string.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD