[MEDIUM] Security Advisory: Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder (github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream, github.com/aws/aws-sdk-go-v2/service/bedrockagentcore, github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime)

AWS SDK for Go v2 contains a denial-of-service vulnerability in its EventStream header decoder. An attacker can craft a malformed response frame with an invalid header value type byte, triggering a panic that crashes the host process. CVSS v3.1 scores it 5.9 (Medium), with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. This hits versions before the release-2026-03-23 tag, specifically in the github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream, github.com/aws/aws-sdk-go-v2/service/bedrockagentcore, and github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime modules.

Affected code lives in AWS Bedrock Agent services, which handle AI agent invocations and runtime streaming. Bedrock, Amazon’s foundation for generative AI models, uses EventStream protocol for real-time, bidirectional communication—think streaming chat completions or agent tool calls. Developers integrating Bedrock Agents via Go pull in this SDK, exposing apps to the flaw if unpatched.

Technical Details

The bug stems from poor input validation in the EventStream decoder. Valid header value types range from 0x00 to 0x07; anything else should error gracefully, but instead, it panics. An attacker needs network access to send a tainted frame—prepend a byte like 0xFF to a legitimate EventStream message. Attack complexity rates high (AC:H) because forging a realistic AWS-signed response demands replaying auth tokens or exploiting a proxy/man-in-the-middle setup. No privileges, user interaction, or confidentiality/integrity impact—just availability DoS.

In practice, pure client-server flows with AWS see low risk. Bedrock servers craft frames; they don’t accept arbitrary input from attackers. But real-world apps often proxy streams, integrate third-party EventStreams, or expose endpoints relaying Bedrock outputs. Custom forks of the SDK amplify exposure. AWS SDK Go v2, now at over 1.50.x releases (date-tagged like v1.20240325), sees frequent updates—600+ contributors, 10k+ stars on GitHub. This vuln slipped through until the 2026-03-23 release, which adds bounds checks: if type byte > 7, it returns an error instead of panicking.

Fixes and Workarounds

Upgrade immediately to release-2026-03-23 or later. Run

go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@release-2026-03-23
go get github.com/aws/aws-sdk-go-v2/service/bedrockagentcore@latest
go get github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime@latest
go mod tidy

then rebuild. Vendored or forked code demands manual patches—diff the commits from the release. No workarounds exist; input sanitization pre-decoder isn’t viable without rewriting protocol logic.

AWS advises reporting via their vulnerability page or aws-security@amazon.com—no public GitHub issues. They fixed it quietly, typical for SDKs where disclosure lags service vulns.

Implications for Developers

This matters because Bedrock Agents power production AI workflows—autonomous tasks like data analysis or customer support. A DoS crash halts invocations mid-stream, breaking user sessions or batch jobs. In high-traffic apps (Bedrock handles millions of inferences daily), repeated attacks amplify downtime costs—think $0.003 per 1k input tokens scaling to enterprise bills.

Skeptically, CVSS 5.9 underrates remote DoS in streaming protocols; real exploits via compromised upstreams or SDK misuse aren’t rare. AWS SDKs have prior decoder bugs (e.g., XML parsing panics in S3). Go’s runtime panics aid attackers—use recover() wrappers if patching lags. Broader lesson: Vet SDK deps rigorously; go list -m all | grep aws reveals exposures. With Bedrock’s growth (Q1 2024 revenue up 200% YoY), unpatched Go integrations invite opportunistic crashes. Patch now; monitor AWS security advisories weekly.