The vulnerability in Spring Cloud AWS arose because the library did not verify signatures on incoming Amazon SNS messages sent to HTTP/HTTPS endpoints that use the @NotificationMessageMapping, @NotificationSubscriptionMapping, or @NotificationUnsubscribeConfirmationMapping annotations. An attacker who knows the public endpoint URL could craft HTTP POST requests that mimic valid SNS notifications or subscription confirmations. If an application blindly processes these messages, it could be tricked into executing unintended actions such as triggering downstream services, creating resources, or exposing sensitive data. The issue is identified by CWE‑345, which indicates an absence of data authenticity checks.

All applications that depend on the Spring Cloud AWS or Spring Cloud AWS SNS libraries between versions 3.0.0 and 4.0.1 are affected. The issue applies to the awspring:spring-cloud-aws package and the io.awspring.cloud:spring-cloud-aws-sns package, as listed by the CNA. Any application instance that hosts an SNS HTTP/HTTPS endpoint using the annotation support covered by these libraries is vulnerable until the fix is applied.

The CVSS score of 6.3 classifies this flaw as moderate severity. The EPSS score is not available, and it is not yet listed in CISA’s KEV catalog, suggesting no widespread exploitation yet, but the nature of the flaw allows a remote attacker with network access to the endpoint to send forged messages without authentication. Because the attacker only needs knowledge of the endpoint URL and the ability to POST to it, the attack vector is straightforward. The absence of a mitigation such as signature verification increases the likelihood that a crafted message will be accepted, potentially giving the attacker privilege to affect the target application's operation.