Skip to content
Markus Zoppelt3 min read

AI-Automated Fuzzing Found a Heap Buffer Overflow in AWS C Common

A critical heap buffer overflow vulnerability in the AWS C Common library was discovered autonomously through an AI-automated fuzz testing solution, CI Fuzz, and has been fully addressed with a patch. In this post, we explore the vulnerability and its potential impact on embedded systems.

Discovery 

A critical heap buffer overflow vulnerability was identified in the AWS C Common library (`aws-c-common`) on January 27, 2025. The discovery was made through CI Fuzz and its AI Test Agent, which uncovers bugs without human intervention. The vulnerability is located within the `s_parse_scheme` function of the URI parsing code.

Vulnerability Description 

The vulnerability originates from an incorrect bounds check in the URI parsing function s_parse_scheme within the AWS C Common library. Specifically, the original code did not properly verify that location_of_colon + 1 was within the bounds of the input string before attempting to read the next character. This could lead to a one-byte out-of-bounds read if location_of_colon points to the last character of the string. The function attempts to check whether the next character is a forward slash (/), but in this edge case, it reads one byte beyond the URI string’s memory. Importantly, this issue does not allow an attacker to write data beyond the buffer or control the content being read. The impact is limited to reading a single byte of unrelated memory, and existing mitigations prevent further out-of-bounds access.  

Technical Details

The vulnerable code segment was in `source/uri.c`, where a conditional check failed to account for the edge case of `location_of_colon` being the last character. The patch corrected this by adding an explicit check to ensure `location_of_colon + 1` is within the valid memory region before proceeding.

Potential Impact

The vulnerable code was located in source/uri.c within the s_parse_scheme function, which is used exclusively for URI parsing. The issue arose from an insufficient bounds check: the code attempted to read one byte beyond the URI string’s boundary in a specific corner case—when location_of_colon pointed to the last character of the string. This resulted in a single out-of-bounds read to check for a forward slash (/) without verifying that location_of_colon + 1 was still within the string’s valid memory. The patch addressed this by adding a proper check to ensure the read stays within bounds, preventing the corner-case overflow. The fix is detailed in pull request #1185.

Real-World Impact 

The `aws-c-common` library is a core component of many AWS Software Development Kits (SDKs), used across embedded systems, the automotive industry, and cloud services. This vulnerability, specific to URI parsing, results in a one-byte out-of-bounds read in a particular corner case. It does not allow a third party to take control of devices, access sensitive data without authorization, or disrupt services. The issue is limited to reading one additional byte from the client’s memory, which does not enable broader exploitation.

  • IoT Devices: Many rely on AWS SDKs for connectivity and data handling, and this bug affects URI parsing in those contexts.
  • Automotive Systems: Modern vehicles increasingly use cloud connectivity and AWS services. Vehicles leveraging AWS services for cloud features encounter this issue within the same parsing function.
  • Cloud Services: Any cloud service that utilizes AWS SDKs is potentially vulnerable. Services built on AWS SDKs process URIs through this library, where the vulnerability could occur.

The patch ensures consistent behavior across these applications.

Mitigation 

The vulnerability was addressed, and a patch was merged into the `aws-c-common` repository on January 27, 2025. The fix is available in pull request #1185 at the following URL: https://github.com/awslabs/aws-c-common/pull/1185

Users of `aws-c-common` are strongly advised to update to the patched version.

Reproducer 

This code snippet, using the `aws_uri_init_parse` function with a specific input, triggers the vulnerable behavior.

#include <aws/common/common.h>
#include <aws/common/uri.h>

int main() {
    struct aws_allocator *allocator = aws_default_allocator();

    const char *uri_string = ":";
    struct aws_byte_cursor uri_csr = aws_byte_cursor_from_array(uri_string, 1);

    struct aws_uri uri;
    aws_uri_init_parse(&uri, allocator, &uri_csr);

}

AI in Vulnerability Detection

The discovery highlights the effectiveness of AI-driven automated fuzz testing solutions like CI Fuzz in identifying subtle and critical vulnerabilities that might be missed by traditional testing methods. The AI was instrumental in pinpointing a specific bounds-checking error.

Book a call with our team to see how you can find vulnerabilities in your code with a single command.  

Related Articles

Natalia Kazankova4 min read

Top Six Most Dangerous Vulnerabilities in C and C++

We examined the 2024 CWE Top 25 Most Dangerous Software Weaknesses list developed by Common Weakness Enumeration (CWE™) and ...
Start Reading
Natalia Kazankova3 min read

Meet Spark, an AI Test Agent That Autonomously Uncovers Vulnerabilities

In this blog, we explain how the AI Test Agent lowers the entry barrier to white-box fuzz testing and share the main results ...
Start Reading
Natalia Kazankova2 min read

Top Fuzz Testing Tools of 2025: Feature Comparison

Discover the top 5 fuzz testing tools and their main features in this blog.
Start Reading