GHSA-27qh-8cxx-2cr5: AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters

March 27, 2026

This notification is related to the CloudFront signing utilities in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.

References

github.com/advisories/GHSA-27qh-8cxx-2cr5
github.com/aws/aws-sdk-php
github.com/aws/aws-sdk-php/blob/master/src/CloudFront/Signer.php
github.com/aws/aws-sdk-php/releases/tag/3.371.4
github.com/aws/aws-sdk-php/security/advisories/GHSA-27qh-8cxx-2cr5

Code Behaviors & Features

Detect and mitigate GHSA-27qh-8cxx-2cr5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →