GHSA-j965-2qgj-vjmq
LOWJavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
aws-sdknpmDescription
CVSSv3.1 Rating: 3.7 (LOW)
Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version.
Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features.
Impacted versions: All versions of AWS SDK for JavaScript v2
Patches No security patch is required, this is an informational advisory.
Workarounds
- Implement proper input sanitization in your application code
- Migrate to AWS SDK for JavaScript v3
- Follow AWS security best practices for SDK configuration
References Contact AWS Security via the vulnerability reporting page or email [email protected].
Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | aws-sdk | ≥ 2.0.0 | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for aws-sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of aws-sdk has shipped for GHSA-j965-2qgj-vjmq yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-j965-2qgj-vjmq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-j965-2qgj-vjmq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-j965-2qgj-vjmq in your dependencies?
O3 detects GHSA-j965-2qgj-vjmq across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.