Severity: Medium — verified
sqs/service.go:243-253 — sender-controlled MessageAttributes are
merged after SQS system attributes, so a malicious producer can
overwrite ApproximateReceiveCount and defeat retry/poison-pill/DLQ
logic.
Fix
Merge system attributes last (or reject/namespace caller keys that collide
with system attributes).
Identified during an internal security review of the Gas framework
(2026-07-03).
Severity: Medium — verified
sqs/service.go:243-253— sender-controlledMessageAttributesaremerged after SQS system attributes, so a malicious producer can
overwrite
ApproximateReceiveCountand defeat retry/poison-pill/DLQlogic.
Fix
Merge system attributes last (or reject/namespace caller keys that collide
with system attributes).
Identified during an internal security review of the Gas framework
(2026-07-03).