aws-sdk
AWS SDK for JavaScript
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:sax | AI (phantom-deps): sax is declared and used in aws-sdk's XML parsing; phantom-dep pattern is stable for this package. | ai | |
| phantom-deps | phantom-dep:ieee754 | AI (phantom-deps): ieee754 is declared and used in aws-sdk's binary encoding; phantom-dep pattern is stable for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in process_credentials.js to execute user-configured credential_process commands per AWS credential provider spec. Intentional and documented. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs warn-maintenance-mode.js, a benign script notifying users that AWS SDK v2 has reached end-of-support. Stable and expected for this package. | ai | |
| osv | osv:GHSA-j965-2qgj-vjmq | AI (osv): Informational advisory only; no security patch exists or is needed. Advisory explicitly states SDK is functioning as designed. Covers all v2 versions with no fix path in v2. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): proc.exec() runs the user-configured credential_process from AWS config — this is the documented AWS credential process provider behavior. | ai | |
| semgrep | semgrep:credential-dir-access | AI (semgrep): AWS SDK v2 legitimately reads ~/.aws/credentials as part of its documented credential provider chain. Not credential harvesting. | ai |
Versions (showing 51 of 794)
| Version | Deps | Published |
|---|---|---|
| 2.1692.0 | 10 / 23 | |
| 2.1690.0 | 10 / 23 | |
| 2.1689.0 | 10 / 23 | |
| 2.1683.0 | 10 / 23 | |
| 2.1680.0 | 10 / 23 | |
| 2.1677.0 | 10 / 23 | |
| 2.1676.0 | 10 / 23 | |
| 2.1675.0 | 10 / 23 | |
| 2.1671.0 | 10 / 23 | |
| 2.1668.0 | 10 / 23 | |
| 2.1663.0 | 10 / 23 | |
| 2.1662.0 | 10 / 23 | |
| 2.1657.0 | 10 / 23 | |
| 2.1648.0 | 10 / 23 | |
| 2.1644.0 | 10 / 23 | |
| 2.1641.0 | 10 / 23 | |
| 2.1637.0 | 10 / 23 | |
| 2.1631.0 | 10 / 23 | |
| 2.1627.0 | 10 / 23 | |
| 2.1625.0 | 10 / 23 | |
| 2.1624.0 | 10 / 23 | |
| 2.1623.0 | 10 / 23 | |
| 2.1620.0 | 10 / 23 | |
| 2.1617.0 | 10 / 23 | |
| 2.1613.0 | 10 / 23 | |
| 2.1611.0 | 10 / 23 | |
| 2.1606.0 | 10 / 23 | |
| 2.1603.0 | 10 / 23 | |
| 2.1602.0 | 10 / 23 | |
| 2.1601.0 | 10 / 23 | |
| 2.1600.0 | 10 / 23 | |
| 2.1599.0 | 10 / 23 | |
| 2.1598.0 | 10 / 23 | |
| 2.1597.0 | 10 / 23 | |
| 2.1596.0 | 10 / 23 | |
| 2.1594.0 | 10 / 23 | |
| 2.1592.0 | 10 / 23 | |
| 2.1591.0 | 10 / 23 | |
| 2.1590.0 | 10 / 23 | |
| 2.1589.0 | 10 / 23 | |
| 2.1588.0 | 10 / 23 | |
| 2.1587.0 | 10 / 23 | |
| 2.1586.0 | 10 / 23 | |
| 2.1585.0 | 10 / 23 | |
| 2.1584.0 | 10 / 23 | |
| 2.1582.0 | 10 / 23 | |
| 2.1581.0 | 10 / 23 | |
| 2.1580.0 | 10 / 23 | |
| 2.1579.0 | 10 / 23 | |
| 2.1578.0 | 10 / 23 | |
| 2.1577.0 | 10 / 23 |
v2.1692.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1690.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1689.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1683.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1680.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1677.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1676.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1675.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1671.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1668.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1663.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1662.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1657.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1648.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1644.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1641.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1637.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1631.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1627.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1625.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1624.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1623.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1620.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1617.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1613.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1611.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1606.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1603.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1602.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1601.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1600.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1599.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1598.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1597.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1596.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1594.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1592.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1591.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1590.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1589.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1588.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1587.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1586.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1585.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1584.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1582.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1581.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1580.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1579.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1578.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
v2.1577.0
2 findingsPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
[Accepted risk] CVSS 3.7 (LOW) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [[email protected]](mailto:[email protected]). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.