Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
AWS SDK for Go v2 Can Crash from Malformed Response
GHSA-xmrv-pmrh-hhx2
Summary
The AWS SDK for Go v2 can crash if it receives a malformed response from a server. This can happen if a malicious actor sends a specially crafted response. To fix this, update to the latest version of the SDK, which was released on March 23, 2026, or later. If you've forked the code, make sure to apply the patches in the latest version.
What to do
- Update github.com aws to version 1.7.8.
- Update github.com aws to version 1.15.2.
- Update github.com aws to version 1.51.8.
- Update github.com aws to version 1.50.4.
- Update github.com aws to version 1.65.0.
- Update github.com aws to version 1.52.19.
- Update github.com aws to version 1.43.5.
- Update github.com aws to version 1.88.5.
- Update github.com aws to version 1.35.15.
- Update github.com aws to version 1.97.3.
- Update github.com aws to version 1.39.6.
- Update github.com aws to version 1.34.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | aws | <= 1.7.8 | 1.7.8 |
| github.com | aws | <= 1.15.2 | 1.15.2 |
| github.com | aws | <= 1.51.8 | 1.51.8 |
| github.com | aws | <= 1.50.4 | 1.50.4 |
| github.com | aws | <= 1.65.0 | 1.65.0 |
| github.com | aws | <= 1.52.19 | 1.52.19 |
| github.com | aws | <= 1.43.5 | 1.43.5 |
| github.com | aws | <= 1.88.5 | 1.88.5 |
| github.com | aws | <= 1.35.15 | 1.35.15 |
| github.com | aws | <= 1.97.3 | 1.97.3 |
| github.com | aws | <= 1.39.6 | 1.39.6 |
| github.com | aws | <= 1.34.5 | 1.34.5 |
Original title
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
Original description
**CVSSv3.1 Rating**: [Medium]
**CVSSv3.1 Score**: [5.9]
**CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]
## Summary and Impact
An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.
Impacted versions: < [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23)
## Patches
This issue has been addressed in versions [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
## Workarounds
Not Applicable
## References
If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
**CVSSv3.1 Score**: [5.9]
**CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]
## Summary and Impact
An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23). An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.
Impacted versions: < [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23)
## Patches
This issue has been addressed in versions [2026-03-23](https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23) and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
## Workarounds
Not Applicable
## References
If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.
ghsa CVSS3.1
5.9
Vulnerability type
CWE-20
Improper Input Validation
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026