What is GHSA-q2f7-m237-v562?

GHSA-q2f7-m237-v562 is a security advisory published by GitHub Security Advisories with Critical severity. @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Why does GHSA-q2f7-m237-v562 have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-q2f7-m237-v562?

GHSA-q2f7-m237-v562 affects 1 product, including: npm/@hulumi/policies:\u003c 1.3.2.

GHSA-q2f7-m237-v562CriticalDisclosed before NVD

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

📋 Description

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in G_OIDC_1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AWS trust-policy inspector now evaluates set-qualified string operators and rejects unsafe GitHub OIDC sub conditions. Remediation: upgrade @hulumi/policies to 1.3.2 or later.

🎯 Affected products1

npm/@hulumi/policies:< 1.3.2

🔗 References (2)

https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-q2f7-m237-v562
https://github.com/advisories/GHSA-q2f7-m237-v562