AIKIDO-2026-10441
aws-appsync-subscription-link is vulnerable to Information Disclosure
26
Low Risk
This Affects:
aws-appsync-subscription-linkTL;DR
Affected versions of this package are affected by exposure of authentication credentials in the WebSocket URL query string, where sensitive header and payload values are appended directly to the connection URL instead of being sent through the Sec-WebSocket-Protocol header. Because URLs are commonly logged by browsers, proxies, monitoring tools, and intermediary servers, this can lead to unintended credential disclosure. An attacker able to access those logs, browser history, or captured network metadata may recover the leaked values and use them to impersonate the client, hijack the real-time connection, or perform unauthorized actions against the subscription endpoint.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
aws-appsync-subscription-link is vulnerable to Information Disclosure in versions 0.0.1 - 4.0.1.
How to fix this
Upgrade the aws-appsync-subscription-link library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant