Intel

AIKIDO-2026-634174

awswrangler is vulnerable to Improper Input Validation

Improper Input Validation Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

50

Medium Risk

This Affects:

Pythonawswrangler
3.2.0 - 3.16.1
Fixed in 3.17.0
Are you affected? Scan for Free

TL;DR

Affected versions of this package has a weakness in when creating Athena Iceberg tables via wr.athena.to_iceberg(). User-supplied columns_comments values and additional_table_properties keys/values are interpolated into the generated CREATE TABLE DDL without escaping single quotes. A value containing ' can terminate the surrounding string literal and append arbitrary DDL clauses such as LOCATION or TBLPROPERTIES, altering the structure of the query sent to Athena.

Who does this affect?

You are affected if you are using a version within the vulnerable range and call wr.athena.to_iceberg() with user-controlled or otherwise untrusted values in columns_comments or additional_table_properties.

Background info

awswrangler is vulnerable to Improper Input Validation in versions 3.2.0 - 3.16.1.

How to fix this

Upgrade the awswrangler library to the patch version.