GHSA-J965-2QGJ-VJMQ

Vulnerability from github – Published: 2026-01-08 22:04 – Updated: 2026-01-08 22:04
VLAI?
Summary
JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3
Details

CVSSv3.1 Rating: 3.7 (LOW)

Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version.

Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features.

Impacted versions: All versions of AWS SDK for JavaScript v2

Patches No security patch is required, this is an informational advisory.

Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration

References Contact AWS Security via the vulnerability reporting page or email aws-security@amazon.com.

Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "aws-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "last_affected": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-08T22:04:26Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "CVSSv3.1 Rating: 3.7 (LOW)\n\nSummary\nThis notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version.\n\nImpact\nCustomer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features.\n\nImpacted versions: All versions of AWS SDK for JavaScript v2\n\nPatches\nNo security patch is required, this is an informational advisory.\n\nWorkarounds\n- Implement proper input sanitization in your application code\n- Migrate to AWS SDK for JavaScript v3\n- Follow AWS security best practices for SDK configuration\n\nReferences\nContact AWS Security via the vulnerability reporting page or email [aws-security@amazon.com](mailto:aws-security@amazon.com).\n\nAcknowledgement\nAWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.",
  "id": "GHSA-j965-2qgj-vjmq",
  "modified": "2026-01-08T22:04:26Z",
  "published": "2026-01-08T22:04:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-js/security/advisories/GHSA-j965-2qgj-vjmq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-sdk-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.