GHSA-rjfv-pjvx-mjgv
AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers
Blast Radius
sigs.k8s.io/aws-load-balancer-controllerReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] alb.ingress.kubernetes.io/wafv2-acl-arn or alb.ingress.kubernetes.io/waf-acl-id was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted versions should upgrade to prevent this issue from occurring.
Impact
WebACLs attached to ALBs managed by the AWS Load Balancer Controller through methods other than Ingress annotations may be automatically removed, leaving the ALBs unprotected by WebACL.
Impacted versions: [>=2.0.0;<2.8.2]
Patches
We addressed this issue in version 2.8.2 [2] and recommend customers upgrade. Now, if the WebACL annotation is absent on Ingress objects, any existing WebACL on the ALB will remain intact instead of being removed.
Workarounds
If the previous behavior affected you, you can mitigate it by disabling the WebACL management feature using the --enable-waf and --enable-wafv2 command-line flags [3]
References
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page [4] or directly via email to [email protected]. Please do not create a public GitHub issue.
[2] https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.8.2
[4] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | sigs.k8s.io/aws-load-balancer-controller | ≥ 2.0.0&&< 2.8.2 | 2.8.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for sigs.k8s.io/aws-load-balancer-controller. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update sigs.k8s.io/aws-load-balancer-controller to 2.8.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rjfv-pjvx-mjgv is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-rjfv-pjvx-mjgv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-rjfv-pjvx-mjgv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-rjfv-pjvx-mjgv in your dependencies?
O3 detects GHSA-rjfv-pjvx-mjgv across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.