CVE-2025-14759
Missing Key Commitment Vulnerability in Amazon S3 .NET Encryption Client
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | s3_encryption_client | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Amazon S3 Encryption Client for .NET, where a missing cryptographic key commitment allows a user with write access to an S3 bucket to introduce a new encrypted data key (EDK) that decrypts to different plaintext. This occurs when the encrypted data key is stored in an "instruction file" instead of S3's metadata record, potentially leading to incorrect decryption of data.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing a user with write access to the S3 bucket to manipulate encrypted data keys, causing data to decrypt incorrectly to different plaintext. This can lead to data integrity issues and potentially unauthorized data manipulation or confusion about the actual data content.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Amazon S3 Encryption Client for .NET to version 4.0.0 or later.