GHSA-xmrv-pmrh-hhx2: Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder

April 8, 2026

An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.

Impacted versions: < 2026-03-23

References

github.com/advisories/GHSA-xmrv-pmrh-hhx2
github.com/aws/aws-sdk-go-v2
github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23
github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2

Code Behaviors & Features

Detect and mitigate GHSA-xmrv-pmrh-hhx2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →