Cross-Tenant Data Leakage in AWS Bedrock via Inference Cache Collision
Overview
A critical vulnerability was discovered in the shared inference caching layer for select foundation models hosted on AWS Bedrock. The caching system, intended to optimize performance and reduce costs for repeated prompts, used a non-cryptographic hash of the prompt text as the primary cache key, without adequately namespacing the keys by tenant ID. This architectural flaw created a cache collision vulnerability. An attacker could craft specific, commonly used prompts (e.g., "Summarize the following text:") and poison the shared cache with a malicious response. This response could contain misinformation or, more dangerously, a payload designed to exfiltrate data from the next user's prompt. For example, the poisoned response could be a JavaScript payload within a markdown block. When a victim in a separate AWS account submitted a legitimate prompt that collided with the attacker's, Bedrock would serve the poisoned response from the cache. If the victim's application rendered this response in a web context, the payload could execute, capturing the victim's full prompt and sending it to an attacker-controlled endpoint. This effectively broke the tenant isolation model, allowing an attacker on the platform to steal sensitive data from other customers. The issue was discovered by cloud security researchers and was patched by AWS before public disclosure.
Affected Systems
Testing Guide
1. This vulnerability cannot be tested by customers as it required specific knowledge of the Bedrock internal architecture and the ability to orchestrate requests across multiple AWS accounts to create a hash collision. 2. The primary method of verification is to confirm via the AWS Health Dashboard or AWS support that your account was not notified of any adverse impact related to this incident.
Mitigation Steps
1. No user action is required to fix the underlying vulnerability, as AWS patched their backend infrastructure on September 19, 2025. 2. Review application logs for any anomalous or unexpected model responses received from Bedrock during the potential exposure period (prior to September 19, 2025). 3. Implement strict output encoding and sanitization in applications that consume Bedrock's API responses, treating all model-generated content as untrusted input. This is a best practice that would mitigate the impact of similar vulnerabilities. 4. Monitor the AWS Health Dashboard and relevant security bulletins for notifications regarding service-side vulnerabilities.
Patch Details
Patched by AWS on their backend infrastructure on 2025-09-19. The fix involved augmenting the cache key algorithm to include the tenant's unique account identifier.