VulnerableCode Package Details - pkg:npm/aws-sdk@2.34.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-trz1-wjge-cqct Aliases: GHSA-j965-2qgj-vjmq	JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [aws-security@amazon.com](mailto:aws-security@amazon.com). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.	There are no reported fixed by versions.
VCID-w11s-s2tz-nyeu Aliases: CVE-2020-28472 GHSA-rrc9-gqf8-8rwg	Prototype pollution In aws-sdk/shared-ini-file-loader, if an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles, they will pollute the prototype on the application. This can be exploited further depending on the context.	2.814.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-trz1-wjge-cqct
Aliases:
GHSA-j965-2qgj-vjmq

JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3 CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this is an informational advisory. Workarounds - Implement proper input sanitization in your application code - Migrate to AWS SDK for JavaScript v3 - Follow AWS security best practices for SDK configuration References Contact AWS Security via the vulnerability reporting page or email [aws-security@amazon.com](mailto:aws-security@amazon.com). Acknowledgement AWS Security thanks Guy Arazi for bringing these customer security considerations to our attention through the coordinated disclosure process.

There are no reported fixed by versions.

VCID-w11s-s2tz-nyeu
Aliases:
CVE-2020-28472
GHSA-rrc9-gqf8-8rwg

Prototype pollution In aws-sdk/shared-ini-file-loader, if an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles, they will pollute the prototype on the application. This can be exploited further depending on the context.

2.814.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:36:33.049907+00:00	GitLab Importer	Affected by	VCID-trz1-wjge-cqct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/aws-sdk/GHSA-j965-2qgj-vjmq.yml	38.6.0
2026-06-04T20:43:31.289208+00:00	GitLab Importer	Affected by	VCID-w11s-s2tz-nyeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/aws-sdk/CVE-2020-28472.yml	38.6.0

2026-06-06T06:36:33.049907+00:00

GitLab Importer

Affected by

VCID-trz1-wjge-cqct

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/aws-sdk/GHSA-j965-2qgj-vjmq.yml

38.6.0

2026-06-04T20:43:31.289208+00:00

GitLab Importer

Affected by

VCID-w11s-s2tz-nyeu

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/aws-sdk/CVE-2020-28472.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0