GHSA-g59m-gf8j-gjf5: AWS SDK for Rust v1 adopted defense in depth enhancement for region parameter value

January 8, 2026

This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value.

A defense-in-depth enhancement has been implemented in the AWS SDK for Rust. This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on November 6, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security.

References

docs.aws.amazon.com/sdk-for-rust/latest/dg/security.html
github.com/advisories/GHSA-g59m-gf8j-gjf5
github.com/awslabs/aws-sdk-rust
github.com/awslabs/aws-sdk-rust/security/advisories/GHSA-g59m-gf8j-gjf5
github.com/smithy-lang/smithy-rs/pull/4383

Code Behaviors & Features

Detect and mitigate GHSA-g59m-gf8j-gjf5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →