Bulletin ID: AWS-2025-027
Scope: Amazon
Content Type: Important (requires attention)
Publication Date: 2025/11/7 10:15 AM PDT

Description:

Amazon's Ion-C is a library for the C language that is used to read and write Amazon Ion data.

We Identified CVE-2025-12829, which describes an uninitialized stack read issue in Ion-C versions <v1.1.4 that may allow a threat actor to craft data and serialize it to Ion text in such a way that sensitive data in memory could be exposed through UTF-8 escape sequences.

Impacted versions: < v1.1.4

Resolution:

This issue has been addressed in Ion-C version 1.1.4. We recommend only accepting data from trusted sources, which are written using a supported Ion library.

References:

• CVE-2025-12829
• GHSA-7mgf-6x73-5h7r

Please email aws-security@amazon.com with any security questions or concerns.