GHSA-MVM6-F9R3-FGFX: GHSA-mvm6-f9r3-fgfx: JSON Policy Injection in AWS SDK for .NET CloudFront Signers

#security #cve #cybersecurity #ghsa

GHSA-mvm6-f9r3-fgfx: JSON Policy Injection in AWS SDK for .NET CloudFront Signers

Vulnerability ID: GHSA-MVM6-F9R3-FGFX
CVSS Score: 9.3
Published: 2026-03-27

The AWS SDK for .NET contains a vulnerability in its CloudFront signing utilities where improper escaping of special characters permits JSON policy injection. Attackers who can control input passed to the signing methods can alter the generated CloudFront custom policy, allowing them to bypass access restrictions and access private resources.

TL;DR

Unescaped quotes and backslashes in AWS SDK for .NET CloudFront utilities allow attackers to inject malicious JSON into custom policies, bypassing intended access controls for private CloudFront content.

Technical Details

CWE ID: CWE-116
Attack Vector: Network
CVSS v3.1 Score: 9.3 (Critical)
Confidentiality Impact: High
Integrity Impact: Low
Exploit Status: None

Affected Systems

AWS SDK for .NET
NuGet Package: AWSSDK.CloudFront
NuGet Package: AWSSDK.Extensions.CloudFront.Signers
AWSSDK.CloudFront: < 3.7.510.7 (Fixed in: 3.7.510.7)
AWSSDK.Extensions.CloudFront.Signers: < 4.0.0.31 (Fixed in: 4.0.0.31)

Mitigation Strategies

Dependency Upgrade
Input Validation
Defense-in-Depth Sanitization

Remediation Steps:

Identify all projects utilizing the AWSSDK.CloudFront or AWSSDK.Extensions.CloudFront.Signers NuGet packages.
Update AWSSDK.CloudFront to version 3.7.510.7 or later.
Update AWSSDK.Extensions.CloudFront.Signers to version 4.0.0.31 or later.
Recompile and deploy the updated application.
Audit application logic to ensure proper input validation is performed on any user-controlled data passed to CloudFront signing utilities.