DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XMRV-PMRH-HHX2: GHSA-xmrv-pmrh-hhx2: Remote Denial of Service via EventStream Decoder Panic in AWS SDK for Go v2

#security #cve #cybersecurity #ghsa

GHSA-xmrv-pmrh-hhx2: Remote Denial of Service via EventStream Decoder Panic in AWS SDK for Go v2

Vulnerability ID: GHSA-XMRV-PMRH-HHX2
CVSS Score: 5.9
Published: 2026-04-08

The AWS SDK for Go v2 contains a Denial of Service (DoS) vulnerability in the EventStream decoder. A remote attacker positioned to alter responses can trigger an unrecovered panic by providing an unrecognized header type byte, crashing the host application.

TL;DR

A DoS vulnerability in the AWS SDK for Go v2 EventStream decoder allows remote application crashes via unhandled panic conditions on malformed header types.

Technical Details

  • CWE ID: CWE-248 (Uncaught Exception)
  • Attack Vector: Network
  • Attack Complexity: High
  • CVSS v3.1: 5.9 (Moderate)
  • Impact: Denial of Service (Process Termination)
  • Exploit Status: None publicly reported

Affected Systems

  • Applications utilizing AWS SDK for Go v2 for Amazon S3 Select
  • Applications utilizing AWS SDK for Go v2 for Amazon Bedrock
  • Applications utilizing AWS SDK for Go v2 for AWS CloudWatch Logs streams
  • Applications utilizing AWS SDK for Go v2 for AWS Lambda streams
  • github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: < 1.7.8 (Fixed in: 1.7.8)
  • github.com/aws/aws-sdk-go-v2/service/s3: < 1.97.3 (Fixed in: 1.97.3)
  • github.com/aws/aws-sdk-go-v2/service/bedrockruntime: < 1.50.4 (Fixed in: 1.50.4)

Mitigation Strategies

  • Upgrade the AWS SDK for Go v2 dependencies to the patched versions.
  • Enforce strict TLS validation and certificate pinning to prevent Man-in-the-Middle attacks.
  • Audit Go module dependencies for any indirect usage of the vulnerable eventstream package.

Remediation Steps:

  1. Open the project's go.mod file.
  2. Update github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8 or higher.
  3. Update affected service clients (e.g., github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3).
  4. Run 'go mod tidy' to resolve and clean up dependencies.
  5. Recompile the application binary and deploy to the production environment.

References

Read the full report for GHSA-XMRV-PMRH-HHX2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)