The ex_aws ex_aws_sns library versions 2.0.1 up to but not including 2.3.5 contain an improper certificate validation vulnerability (CWE-295) in the verify_message/1 function. This function fetches the signing certificate from the SigningCertURL field of incoming SNS messages without verifying that the URL uses HTTPS or that the host is an AWS-owned SNS certificate domain. An unauthenticated attacker able to POST to an endpoint calling verify_message/1 can supply a malicious SigningCertURL and sign a forged SNS message with their own key. This causes the function to incorrectly return :ok, bypassing SNS signature verification and enabling signature spoofing. The vulnerability has a CVSS 4.0 score of 8.7 (high severity). The affected product is a cloud service, and a patch is available.

Successful exploitation allows an unauthenticated attacker to bypass SNS signature verification by supplying a malicious SigningCertURL and forged signature. This can lead to acceptance of spoofed SNS messages, potentially causing unauthorized actions or misinformation in systems relying on SNS message authenticity. There are no known exploits in the wild at this time.

A patch is available for ex_aws_sns versions prior to 2.3.5. Users should upgrade to version 2.3.5 or later to remediate this vulnerability. Since ex_aws_sns is a cloud service, the vendor typically manages remediation server-side; users should verify with the vendor advisory for confirmation and ensure their deployments are updated accordingly.