Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 11 maven packages depend on io.awspring.cloud:spring-cloud-aws-sns (6 direct, 5 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionGitHub Advisory
Impact
Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.
An unauthenticated attacker who knows the endpoint URL could send crafted HTTP POST requests mimicking SNS Notification or SubscriptionConfirmation messages, causing the application to:
- Process arbitrary payloads as if they were legitimate SNS notifications.
- Auto-confirm subscriptions or unsubscribe from attacker-controlled topics.
Affected versions: 3.0.0 through 3.4.2, 4.0.0, and 4.0.1.
The 3.x line will not receive a fix; users on 3.x should apply the workaround below or upgrade to 4.0.2.
Patches
Fixed in Spring Cloud AWS 4.0.2. When using Spring Boot auto-configuration, signature verification is enabled by default. Users should upgrade to 4.0.2.
Workarounds
Manually verify the SNS message signature in a servlet filter or Spring HandlerInterceptor before the request reaches the controller, using SnsMessageManager from the AWS SDK v2 sns-message-manager module.
Resources
- AWS SNS: Verifying the signatures of Amazon SNS messages (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html)
- AWS SDK for Java v2: SnsMessageManager (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html)
- Fix PR: #1614
AnalysisAI
Spring Cloud AWS SNS HTTP/HTTPS endpoint handlers (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) in versions 3.0.0-3.4.2, 4.0.0, and 4.0.1 fail to verify the cryptographic signature of incoming SNS messages, allowing unauthenticated attackers who know the endpoint URL to send forged SNS notifications, subscription confirmations, or unsubscribe requests. This enables attackers to trigger arbitrary message processing, auto-confirm malicious topic subscriptions, or force unsubscription from legitimate topics. Fixed in Spring Cloud AWS 4.0.2 with signature verification enabled by default; 3.x line receives no patch and must use workarounds.
Technical ContextAI
Amazon SNS (Simple Notification Service) signs all outgoing messages using RSA-SHA256 signatures included in the SigningCertURL, MessageId, and Signature HTTP headers. Spring Cloud AWS provides Spring annotations to bind SNS HTTP POST requests directly to Java methods without requiring manual request parsing. The vulnerable code path uses the AWS SDK v2 SnsMessageManager class only for conditional message type detection, not for cryptographic verification. The fix introduces SnsMessageManager throughout the handler resolution chain to validate the RSA signature before unmarshalling the JSON payload. CWE-345 (Insufficient Verification of Data Authenticity) classifies the root cause: accepting external input (SNS message JSON) without cryptographic proof of origin. The Maven package io.awspring.cloud:spring-cloud-aws-sns is the affected artifact.
RemediationAI
Upgrade Spring Cloud AWS to version 4.0.2 or later immediately if using 4.0.0 or 4.0.1; the fix enables signature verification by default via the spring.cloud.aws.sns.verification configuration property (defaults to true). For users unable to immediately upgrade from 3.x, implement manual SNS message signature verification in a Spring HandlerInterceptor or servlet filter *before* the request reaches the @NotificationMessageMapping controller method, using the SnsMessageManager class from the AWS SDK v2 sns-message-manager module (https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/messagemanager/sns/SnsMessageManager.html). This workaround trade-off: adds complexity and latency to every SNS request but eliminates the forgery risk without upgrading. After upgrade, signature verification is on by default; disable only if absolutely necessary via spring.cloud.aws.sns.verification=false, though this negates the fix and is not recommended. Consult AWS SNS documentation on signature verification (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html) for implementation details. Fix PR #1614 (https://github.com/awspring/spring-cloud-aws/pull/1614) demonstrates the exact integration pattern.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30302
GHSA-r4w4-wv68-qv85