Broken Compass: Redirecting the AWS SDK for .NET (CVE-2026-22611)

In the world of cloud development, we treat the AWS SDK like gravity—it's just there, it works, and we rarely question how it does its job. We assume that when we ask it to talk to S3, it actually talks to S3. But CVE-2026-22611 reminds us that even the most fundamental plumbing is built on code, and that code is built by humans who occasionally trust strings a little too much.

This vulnerability is a classic case of Server-Side Request Forgery (SSRF), but with a twist. It lives inside the library responsible for preventing us from having to worry about HTTP requests. The specific flaw resides in how the AWSSDK.Core component handles the region parameter. In the cloud, the 'region' is the compass. It tells the SDK where the data lives (e.g., us-east-1 or eu-west-1).

What happens when you hand a broken compass to a blind navigator? They walk right off a cliff. In this scenario, the 'cliff' is a server controlled by an attacker, and the 'navigator' is your application carrying a backpack full of sensitive authentication headers. While the CVSS score is a deceptive 3.7 (Low), the implications for an environment where configuration is mutable are anything but.

At its heart, this vulnerability is a failure of input validation, specifically CWE-20. The AWS SDK needs to construct endpoints dynamically. If you want to put an object into an S3 bucket in Virginia, the SDK constructs a URL that looks something like https://s3.us-east-1.amazonaws.com.

To do this, the SDK developers implemented a logic that essentially boils down to string interpolation: https://{service}.{region}.amazonaws.com. This is efficient and readable. It is also dangerous if {region} is not strictly defined as an alphanumeric string from a trusted enum.

In versions 4.0.0 through 4.0.3.2, the SDK treated the region input promiscuously. It didn't verify that us-east-1 was actually a valid AWS region. It just took whatever string was provided and shoved it into the URL template. This means the trust boundary was misplaced; the code assumed that the configuration source (environment variables, config files, or user input) was benevolent. In security, we know that assumptions are just vulnerabilities waiting to happen.

Let's look at the logic. While we don't have the exact proprietary source code of the vulnerable commit in front of us, the behavior is well-documented. A simplified C# representation of the vulnerable logic looks like this:

// Vulnerable Logic Representation
public Uri GetEndpointForService(string serviceName, string region)
{
    // No validation that 'region' is a valid AWS region identifier
    string hostname = $"{serviceName}.{region}.amazonaws.com";
    return new Uri($"https://{hostname}");
}
 
// Usage
var config = new AmazonS3Config { RegionEndpoint = RegionEndpoint.GetBySystemName(userInput) };
var client = new AmazonS3Client(credentials, config);

The method RegionEndpoint.GetBySystemName(string) is designed to look up a region. If it doesn't find a predefined one, it creates a new endpoint object using the string provided. This 'feature' is likely intended for forward compatibility—allowing the SDK to support new AWS regions without needing a library update.

However, the lack of sanitization allows for injection. If userInput is us-east-1.attacker-site.com/, the resulting hostname logic might produce a URL that the Uri class resolves unexpectedly, or simply appends the suffix in a way that creates a valid DNS entry pointing to the attacker.

The Fix: In version 4.0.3.3, AWS introduced defense-in-depth measures. The patch likely involves checking the input against a regex (e.g., ^[a-z0-9-]+$) or a strict allowlist of known regions, ensuring that no special characters or domain delimiters can be injected.

How do we weaponize this? We need to control the region input. This isn't a remote code execution exploit where we send a packet and get a shell; it requires Initial Access or a configuration injection vector.

Scenario: Imagine a .NET microservice that processes images. It reads the target AWS region from an environment variable AWS_REGION or a JSON config file provided by a deployment pipeline. An attacker who has compromised the CI/CD pipeline, or who can influence the environment variables (e.g., via a separate Container Injection flaw), can change the region to:

us-east-1.malicious.com

When the application initializes the S3 client and attempts to PutObject:

1. The SDK constructs the endpoint. Depending on how the suffix is handled, it might generate s3.us-east-1.malicious.com.amazonaws.com (if the suffix is hardcoded) or, if the injection allows breaking the format, just malicious.com.
2. The .NET application performs a DNS lookup for the attacker-controlled domain.
3. The application sends a signed HTTP request to the attacker's server.

> [!CAUTION] > The Payload: The request includes the Authorization header containing the AWS Signature Version 4 (SigV4). This signature is valid for a short window (typically 5-15 minutes).

Replay Attack: The attacker's server captures the request headers. The attacker can now replay this exact request to the real AWS endpoint (modifying the host header if necessary, though SigV4 signs the host, making this tricky but possible depending on how the signature was calculated vs. where it was sent). More dangerously, if the attacker can influence the service name as well, they might be able to trick the SDK into signing a request that allows them to exfiltrate data.

The CVSS score of 3.7 suggests you should fix this next year. The reality suggests you should fix it now. The score is suppressed by the Attack Complexity: High metric, which assumes that changing the region configuration is difficult.

However, in modern DevOps environments, configuration injection is a common vector. If an attacker can modify a ConfigMap in Kubernetes or an .env file, they can't necessarily run code, but they can change the region. This vulnerability upgrades that configuration-write primitive into a Credential Leak primitive.

What's at stake?

1. Credential Leakage: The most direct impact is the leakage of the SigV4 signature. While not a permanent access key, it allows for authorized actions within the signature's validity window.
2. Denial of Service: Redirecting traffic to a black hole stops the application from functioning.
3. Data Exfiltration (Blind): If the application is uploading data (e.g., PutObject), it is now uploading that sensitive data directly to the attacker's server. This turns the vulnerability from a simple 'traffic redirection' into a full-blown data breach.

This is a classic 'Pivot' vulnerability—useless on its own, but devastating in a chain.

The remediation is straightforward: stop using the vulnerable SDK versions. The patch provided in 4.0.3.3 validates the region string before it's used to build the endpoint.

Immediate Actions:

1. Upgrade: Run dotnet add package AWSSDK.Core --version 4.0.3.3 (or higher) for all projects.
2. Audit: Search your logs for RegionEndpoint initializations that use strings not present in the standard AWS region list.
3. Restrict: Use network policies (Egress Filtering) to ensure your pods/servers can only talk to *.amazonaws.com. If the SDK tries to talk to malicious.com, the firewall should kill it regardless of what the C# code thinks.

Don't rely on the SDK to be your firewall. Security is an onion; make sure every layer makes the attacker cry.