Fluid Attacks Database

Description

ex_aws_sns SigningCertURL not validated in verify_message/1

Summary

Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation.

This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1.

'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification.

This issue affects ex_aws_sns: from 2.0.1 before 2.3.5.

Configuration

The application must expose an HTTP endpoint that calls 'Elixir.ExAws.SNS':verify_message/1 on incoming request bodies.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
hex	ex_aws_sns	=2.0.1 \|\| =2.1.0 \|\| =2.2.0 \|\| =2.3.0 \|\| =2.3.1 \|\| =2.3.2 \|\| =2.3.3 \|\| =2.3.4 \|\| >=2.0.1 <2.3.5	2.3.5

Aliases

1. CVE-2026-470742. NVD-2026-470743. OSV-EEF-2026-470744. OSV-2026-470745. GCVE-2026-470746. GHSA-8jgf-23q5-x7xx

References

1. https://cna.erlef.org/cves/CVE-2026-47074.html2. https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.