GHSA-xmrv-pmrh-hhx2

Suggest an improvement
Source
https://github.com/advisories/GHSA-xmrv-pmrh-hhx2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xmrv-pmrh-hhx2
Downstream
Related
Published
2026-04-08T00:18:56Z
Modified
2026-04-08T15:44:15.947571236Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
Details

CVSSv3.1 Rating: [Medium] CVSSv3.1 Score: [5.9] CVSSv3.1 Vector String: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]

Summary and Impact

An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.

Impacted versions: < 2026-03-23

Patches

This issue has been addressed in versions 2026-03-23 and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Not Applicable

References

If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed_at": "2026-04-08T00:18:56Z"
}
References

Affected packages

Go
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream

Package

Name
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/bedrockagentcore

Package

Name
github.com/aws/aws-sdk-go-v2/service/bedrockagentcore
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/bedrockagentcore

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.15.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime

Package

Name
github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.51.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/bedrockruntime

Package

Name
github.com/aws/aws-sdk-go-v2/service/bedrockruntime
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/bedrockruntime

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.50.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs

Package

Name
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.65.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/iotsitewise

Package

Name
github.com/aws/aws-sdk-go-v2/service/iotsitewise
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/iotsitewise

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.52.19

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/kinesis

Package

Name
github.com/aws/aws-sdk-go-v2/service/kinesis
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/kinesis

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.43.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/lambda

Package

Name
github.com/aws/aws-sdk-go-v2/service/lambda
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/lambda

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.88.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/lexruntimev2

Package

Name
github.com/aws/aws-sdk-go-v2/service/lexruntimev2
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/lexruntimev2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.35.15

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/s3

Package

Name
github.com/aws/aws-sdk-go-v2/service/s3
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/s3

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.97.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/sagemakerruntime

Package

Name
github.com/aws/aws-sdk-go-v2/service/sagemakerruntime
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/sagemakerruntime

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.39.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"
github.com/aws/aws-sdk-go-v2/service/transcribestreaming

Package

Name
github.com/aws/aws-sdk-go-v2/service/transcribestreaming
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go-v2/service/transcribestreaming

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xmrv-pmrh-hhx2/GHSA-xmrv-pmrh-hhx2.json"