Vulnerability DatabaseGHSA-h45p-w933-jxh3

GHSA-h45p-w933-jxh3:
JavaScript vulnerability analysis and mitigation

Overview

The vulnerability (GHSA-h45p-w933-jxh3) affects the aws-encryption-sdk-javascript package and involves improper verification of cryptographic signatures. The issue was discovered and published on May 27, 2021, affecting versions < 1.9.0 and >= 2.0.0, < 2.2.0 of both @aws-crypto/client-browser and @aws-crypto/client-node packages. The vulnerability is classified as moderate severity and primarily concerns the streaming mode functionality where plaintext of signed messages could be processed before ECDSA signature validation (GitHub Advisory).

Technical details

The vulnerability stems from the ESDK's streaming mode implementation where callers could stream the plaintext of signed messages before the ECDSA signature validation was completed. While the system uses AES-GCM encryption and verifies all plaintext before release, the premature access to plaintext before signature validation could compromise non-repudiation guarantees. Additionally, the vulnerability allowed actors with trusted KMS permissions to decrypt messages to potentially encrypt messages without proper signature validation (GitHub Advisory).

Impact

The vulnerability's impact is primarily focused on scenarios where applications rely on ECDSA signatures for non-repudiation. While there is no direct impact on the integrity of the ciphertext or decrypted plaintext, the issue could allow actors with KMS permissions to bypass signature validation controls. The vulnerability also exposed systems to potential processing of messages with excessive Encrypted Data Keys (EDKs), which could lead to unnecessary AWS KMS Decrypt API calls (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 1.9.0 and 2.2.0. Users are strongly recommended to upgrade to these versions. For those using streaming features, the patch introduces a new API specifically for streaming unsigned messages, with a fallback to non-streaming decrypt API for signed messages. Additionally, a new configuration parameter has been introduced to limit the number of Encrypted Data Keys (EDKs) that the ESDK will process per message, helping protect against potential abuse. Users processing ESDK messages from untrusted sources should implement the new maximum encrypted data keys parameter (GitHub Advisory).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55182	CRITICAL	10	JavaScript	react-server-dom-webpack	No	Yes	Dec 03, 2025
CVE-2025-66032	HIGH	8.7	JavaScript	@anthropic-ai/claude-code	No	Yes	Dec 03, 2025
CVE-2025-66412	HIGH	8.5	JavaScript	@angular/compiler	No	Yes	Dec 01, 2025
CVE-2025-66415	MEDIUM	6.9	JavaScript	@fastify/reply-from	No	Yes	Dec 01, 2025
CVE-2025-66404	MEDIUM	6.4	JavaScript	mcp-server-kubernetes	No	Yes	Dec 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-h45p-w933-jxh3: JavaScript vulnerability analysis and mitigation