Understanding the @hulumi/policies Vulnerability: Bypassing IAM Role Policy Checks with Multiple OIDC Providers

Introduction

The @hulumi/policies package is designed to help manage and enforce security policies for AWS IAM roles. However, a recently discovered vulnerability (CVE-2026-48032) with a severity score of 8.3 affects versions prior to 1.4.0, allowing certain IAM roles to bypass policy checks when trusting multiple OIDC providers.

The Vulnerability

AWS IAM trust policies can specify multiple federated identity providers, such as GitHub Actions OIDC and Google's OIDC. The G_OIDC_1 and G_OIDC_2 policy rules are intended to flag IAM roles with overly permissive GitHub-OIDC trust, such as wildcard sub: conditions that could allow any branch or pull request to assume the role. The bug occurs when the role's Principal.Federated field is a JSON array of multiple providers. In this case, the rules fail to recognize GitHub Actions as one of the providers. This happens because the providers list is coerced into a single comma-joined string, and the matcher only looks at the start of the string, losing the GitHub OIDC hostname in the process.

Impact

The impact of this vulnerability is that a trust policy listing the real GitHub OIDC provider ARN alongside any second provider could slip past both detectors. As a result, consumers using HulumiHardeningPack or HulumiGithubHardeningPack could deploy IAM roles with wildcard sub: conditions, allowing untrusted PRs from forks to assume the role, while their policy validation reports the stack as compliant.

Solution

To address this vulnerability, users should upgrade to @hulumi/policies version 1.4.0 or later. This version correctly handles lists of providers, ensuring that if any element of the list is the real GitHub OIDC ARN, the role is treated as GitHub-OIDC-assumable and the wildcard and blast-radius checks apply.

Conclusion

In conclusion, the @hulumi/policies vulnerability highlights the importance of thoroughly testing and validating security policies for AWS IAM roles, especially in complex environments with multiple OIDC providers. By upgrading to the latest version, users can ensure the security and compliance of their IAM roles.