Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-mvm6-f9r3-fgfx

AWS SDK for .NET: Improper escaping of special characters in CloudFront policy document construction
Back to all
CVE

GHSA-mvm6-f9r3-fgfx

AWS SDK for .NET: Improper escaping of special characters in CloudFront policy document construction

Summary 

This notification is related to the CloudFront signing utilities in the AWS SDK for .NET, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values. 

Impact 

The CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application's intended access restrictions. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Applications that already follow AWS security best practices for input validation are not impacted. 

Impacted versions: 

  • AWS SDK for .NET V3 (AWSSDK.CloudFront): < 3.7.510.7
  • AWS SDK for .NET V4 (AWSSDK.Extensions.CloudFront.Signers): 4.0.0.0 - 4.0.0.25 

Patches 

On February 25th, 2026, an enhancement was made to the AWS SDK for .NET CloudFront signing utilities. The enhancement ensures that special characters in input values are correctly handled. We recommend upgrading to the latest version. 

Workarounds 

No workarounds are needed, but customers should ensure that your application is following security best practices: 

  • Implement proper input validation in your application code before passing values to CloudFront signing utilities 
  • Update to the latest AWS SDK release on a regular basis 
  • Follow AWS security best practices for SDK configuration

References 

If there are any questions or comments about this advisory, contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Acknowledgement

AWS SDK for .NET thanks the Amazon Inspector Security Research team for identifying this issue and working through the coordinated process together.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Related Resources

No items found.

References

https://github.com/aws/aws-sdk-net/security/advisories/GHSA-mvm6-f9r3-fgfx, https://github.com/aws/aws-sdk-net

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,4.0.0.0,4.0.0-preview.2,3.0.1-preview,3.0.0-preview,2.3.36,1.5.23,2.0.0-beta,1.5.2
Fix Available
3.7.510.7,4.0.0.26,3.7.510.8

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading