Update module github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream to v1.7.8 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream	v1.6.2 → v1.7.8

GitHub Vulnerability Alerts

GHSA-xmrv-pmrh-hhx2

CVSSv3.1 Rating: [Medium]
CVSSv3.1 Score: [5.9]
CVSSv3.1 Vector String: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]

Summary and Impact

An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame containing a crafted header value type byte outside the valid range, which can cause the host process to terminate.

Impacted versions: < 2026-03-23

Patches

This issue has been addressed in versions 2026-03-23 and above. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Not Applicable

References

If you have any questions or comments about this advisory, we ask that you contact [AWS/Amazon] Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

---

Release Notes

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream)

v1.7.7

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression: v1.7.79
  • Bug Fix: allow nested list indices in expressions
• github.com/aws/aws-sdk-go-v2/service/connectcontactlens: v1.28.0
  • Feature: Making sentiment optional for ListRealtimeContactAnalysisSegments Response depending on conversational analytics configuration
• github.com/aws/aws-sdk-go-v2/service/detective: v1.33.0
  • Feature: Add support for Detective DualStack endpoints
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.42.4
  • Documentation: Doc only update for API descriptions.
• github.com/aws/aws-sdk-go-v2/service/marketplaceentitlementservice: v1.29.0
  • Feature: Add support for Marketplace Entitlement Service dual-stack endpoints for CN and GOV regions
• github.com/aws/aws-sdk-go-v2/service/marketplacemetering: v1.29.0
  • Feature: Add support for Marketplace Metering Service dual-stack endpoints for CN regions
• github.com/aws/aws-sdk-go-v2/service/verifiedpermissions: v1.23.0
  • Feature: Adds deletion protection support to policy stores. Deletion protection is disabled by default, can be enabled via the CreatePolicyStore or UpdatePolicyStore APIs, and is visible in GetPolicyStore.

v1.7.1

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/acm: v1.32.0
  • Feature: Add support for file-based HTTP domain control validation, available through Amazon CloudFront.
• github.com/aws/aws-sdk-go-v2/service/cloudfront: v1.46.0
  • Feature: Add distribution tenant, connection group, and multi-tenant distribution APIs to the CloudFront SDK.
• github.com/aws/aws-sdk-go-v2/service/dynamodb: v1.43.1
  • Documentation: Doc only update for GSI descriptions.
• github.com/aws/aws-sdk-go-v2/service/imagebuilder: v1.42.0
  • Feature: Add integration with SSM Parameter Store to Image Builder.
• github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.7.1
  • Bug Fix: Don't emit warnings about lack of checksum validation for non-200 responses.

v1.7.0

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/billing: v1.10.0
  • Feature: Cost Categories filtering support to BillingView data filter expressions through the new costCategories parameter, enabling users to filter billing views by AWS Cost Categories for more granular cost management and allocation.
• github.com/aws/aws-sdk-go-v2/service/iotmanagedintegrations: v1.7.0
  • Feature: This release introduces WiFi Simple Setup (WSS) enabling device provisioning via barcode scanning with automated network discovery, authentication, and credential provisioning. Additionally, it introduces 2P Device Capability Rediscovery for updating hub-managed device capabilities post-onboarding.
• github.com/aws/aws-sdk-go-v2/service/sagemaker: v1.230.0
  • Feature: Added ultraServerType to the UltraServerInfo structure to support server type identification for SageMaker HyperPod

v1.6.9

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream: v1.6.9
  • Bug Fix: Remove max limit on event stream messages
• github.com/aws/aws-sdk-go-v2/service/codebuild: v1.52.0
  • Feature: Added test suite names to test case metadata
• github.com/aws/aws-sdk-go-v2/service/connect: v1.125.0
  • Feature: Release Notes: 1) Analytics API enhancements: Added new ListAnalyticsDataLakeDataSets API. 2) Onboarding API Idempotency: Adds ClientToken to instance creation and management APIs to support idempotency.
• github.com/aws/aws-sdk-go-v2/service/databasemigrationservice: v1.48.0
  • Feature: Introduces premigration assessment feature to DMS Serverless API for start-replication and describe-replications
• github.com/aws/aws-sdk-go-v2/service/rdsdata: v1.27.0
  • Feature: Add support for Stop DB feature.
• github.com/aws/aws-sdk-go-v2/service/s3: v1.77.0
  • Feature: Added support for Content-Range header in HeadObject response.
• github.com/aws/aws-sdk-go-v2/service/wafv2: v1.56.0
  • Feature: The WAFv2 API now supports configuring data protection in webACLs.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/aws/smithy-go	v1.20.2 -> v1.24.2