What is GHSA-2ffm-hxrq-qqmm?

GHSA-2ffm-hxrq-qqmm is a security advisory published by GitHub Security Advisories with High severity. @hulumi/drift: Orphan reconciler accepted externally supplied execute plans

Why does GHSA-2ffm-hxrq-qqmm have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-2ffm-hxrq-qqmm?

GHSA-2ffm-hxrq-qqmm affects 1 product, including: npm/@hulumi/drift:\u003c 1.3.2.

GHSA-2ffm-hxrq-qqmmHighDisclosed before NVD

@hulumi/drift: Orphan reconciler accepted externally supplied execute plans

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

📋 Description

Impact: @hulumi/drift versions before 1.3.2 could accept externally supplied execute plans without sufficient provenance checks, allowing unsafe reconciliation input to be treated as trusted. Patched in 1.3.2: execute-plan handling now validates provenance and rejects untrusted plans, with regression coverage. Remediation: upgrade @hulumi/drift to 1.3.2 or later.

🎯 Affected products1

npm/@hulumi/drift:< 1.3.2

🔗 References (2)

https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-2ffm-hxrq-qqmm
https://github.com/advisories/GHSA-2ffm-hxrq-qqmm