security(gomod): 🛡️ minor 🛡️ vulnerability [medium]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.2 → v1.7.8
github.com/aws/aws-sdk-go-v2/service/s3	v1.55.1 → v1.97.3

---

Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder

GHSA-xmrv-pmrh-hhx2

More information

Details

CVSSv3.1 Rating: [Medium]
CVSSv3.1 Score: [5.9]
CVSSv3.1 Vector String: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]

Summary and Impact

An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.

Impacted versions: < 2026-03-23

Patches

This issue has been addressed in versions 2026-03-23 and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Not Applicable

References

If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2
• https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23
• https://github.com/advisories/GHSA-xmrv-pmrh-hhx2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder

GHSA-xmrv-pmrh-hhx2

More information

Details

CVSSv3.1 Rating: [Medium]
CVSSv3.1 Score: [5.9]
CVSSv3.1 Vector String: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]

Summary and Impact

An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.

Impacted versions: < 2026-03-23

Patches

This issue has been addressed in versions 2026-03-23 and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Not Applicable

References

If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/aws/aws-sdk-go-v2/security/advisories/GHSA-xmrv-pmrh-hhx2
• https://github.com/aws/aws-sdk-go-v2
• https://github.com/aws/aws-sdk-go-v2/releases/tag/release-2026-03-23

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream)

v1.7.7

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression: v1.7.79
  • Bug Fix: allow nested list indices in expressions
• github.com/aws/aws-sdk-go-v2/service/connectcontactlens: v1.28.0
  • Feature: Making sentiment optional for ListRealtimeContactAnalysisSegments Response depending on conversational analytics configuration
• github.com/aws/aws-sdk-go-v2/service/detective: v1.33.0
  • Feature: Add support for Detective DualStack endpoints
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.42.4
  • Documentation: Doc only update for API descriptions.
• github.com/aws/aws-sdk-go-v2/service/marketplaceentitlementservice: v1.29.0
  • Feature: Add support for Marketplace Entitlement Service dual-stack endpoints for CN and GOV regions
• github.com/aws/aws-sdk-go-v2/service/marketplacemetering: v1.29.0
  • Feature: Add support for Marketplace Metering Service dual-stack endpoints for CN regions
• github.com/aws/aws-sdk-go-v2/service/verifiedpermissions: v1.23.0
  • Feature: Adds deletion protection support to policy stores. Deletion protection is disabled by default, can be enabled via the CreatePolicyStore or UpdatePolicyStore APIs, and is visible in GetPolicyStore.

v1.7.2

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/amp: v1.34.0
  • Feature: Add QueryLoggingConfiguration APIs for Amazon Managed Prometheus
• github.com/aws/aws-sdk-go-v2/service/auditmanager: v1.39.0
  • Feature: With this release, the AssessmentControl description field has been deprecated, as of May 19, 2025. Additionally, the UpdateAssessment API can now return a ServiceQuotaExceededException when applicable service quotas are exceeded.
• github.com/aws/aws-sdk-go-v2/service/dsql: v1.5.0
  • Feature: Features: support for customer managed encryption keys
• github.com/aws/aws-sdk-go-v2/service/glue: v1.113.0
  • Feature: This release supports additional ConversionSpec parameter as part of IntegrationPartition Structure in CreateIntegrationTableProperty API. This parameter is referred to apply appropriate column transformation for columns that are used for timestamp based partitioning
• github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.7.2
  • Bug Fix: Handle checksum for unseekable body with 0 content length

v1.7.1

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/acm: v1.32.0
  • Feature: Add support for file-based HTTP domain control validation, available through Amazon CloudFront.
• github.com/aws/aws-sdk-go-v2/service/cloudfront: v1.46.0
  • Feature: Add distribution tenant, connection group, and multi-tenant distribution APIs to the CloudFront SDK.
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.43.1
  • Documentation: Doc only update for GSI descriptions.
• github.com/aws/aws-sdk-go-v2/service/imagebuilder: v1.42.0
  • Feature: Add integration with SSM Parameter Store to Image Builder.
• github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.7.1
  • Bug Fix: Don't emit warnings about lack of checksum validation for non-200 responses.

v1.7.0

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/billing: v1.10.0
  • Feature: Cost Categories filtering support to BillingView data filter expressions through the new costCategories parameter, enabling users to filter billing views by AWS Cost Categories for more granular cost management and allocation.
• github.com/aws/aws-sdk-go-v2/service/iotmanagedintegrations: v1.7.0
  • Feature: This release introduces WiFi Simple Setup (WSS) enabling device provisioning via barcode scanning with automated network discovery, authentication, and credential provisioning. Additionally, it introduces 2P Device Capability Rediscovery for updating hub-managed device capabilities post-onboarding.
• github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.230.0
  • Feature: Added ultraServerType to the UltraServerInfo structure to support server type identification for SageMaker HyperPod

v1.6.9

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.6.9
  • Bug Fix: Remove max limit on event stream messages
• github.com/aws/aws-sdk-go-v2/service/codebuild: v1.52.0
  • Feature: Added test suite names to test case metadata
• github.com/aws/aws-sdk-go-v2/service/connect: v1.125.0
  • Feature: Release Notes: 1) Analytics API enhancements: Added new ListAnalyticsDataLakeDataSets API. 2) Onboarding API Idempotency: Adds ClientToken to instance creation and management APIs to support idempotency.
• github.com/aws/aws-sdk-go-v2/service/databasemigrationservice: v1.48.0
  • Feature: Introduces premigration assessment feature to DMS Serverless API for start-replication and describe-replications
• github.com/aws/aws-sdk-go-v2/service/rdsdata: v1.27.0
  • Feature: Add support for Stop DB feature.
• github.com/aws/aws-sdk-go-v2/service/s3: v1.77.0
  • Feature: Added support for Content-Range header in HeadObject response.
• github.com/aws/aws-sdk-go-v2/service/wafv2: v1.56.0
  • Feature: The WAFv2 API now supports configuring data protection in webACLs.

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.23.0 -> 1.24
github.com/aws/aws-sdk-go-v2	v1.27.2 -> v1.41.5
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.3.9 -> v1.4.21
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.6.9 -> v2.7.21
github.com/aws/aws-sdk-go-v2/internal/v4a	v1.3.9 -> v1.4.22
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.11.2 -> v1.13.7
github.com/aws/aws-sdk-go-v2/service/internal/checksum	v1.3.11 -> v1.9.13
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.11.11 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/internal/s3shared	v1.17.9 -> v1.19.21
github.com/aws/smithy-go	v1.20.2 -> v1.24.2

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 25.37%. Comparing base (a2521eb) to head (0c23a80).
⚠️ Report is 131 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #199      +/-   ##
==========================================
- Coverage   32.61%   25.37%   -7.24%     
==========================================
  Files          80       79       -1     
  Lines       10855    11088     +233     
==========================================
- Hits         3540     2814     -726     
- Misses       7027     8008     +981     
+ Partials      288      266      -22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.