CVE-2025-14760
Unknown Unknown - Not Provided

Missing Key Commitment Vulnerability in AWS SDK for C++ S3 Encryption

Vulnerability report for CVE-2025-14760, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: AMZN

Description

Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for C++ to version 1.11.712 or later

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-07-06
AI Q&A
2025-12-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
amazon aws_sdk_for_cpp 1.11.712
amazon aws_sdk_for_cpp *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves a missing cryptographic key commitment in the AWS SDK for C++ S3 Encryption Client. When the encrypted data key (EDK) is stored in an "instruction file" instead of S3's metadata, an attacker with write access to the S3 bucket can replace the EDK with a different key. This allows the attacker to decrypt the data to different plaintext, compromising the integrity of the encrypted data. AWS fixed this by introducing key commitment, which cryptographically binds the EDK to the ciphertext, preventing unauthorized key replacement. [1]

Impact Analysis

If exploited, this vulnerability can allow an attacker with write access to your S3 bucket to replace the encrypted data key with a malicious one. This means the attacker can cause the encrypted data to decrypt to incorrect or malicious plaintext, compromising data integrity and potentially leading to data corruption or unauthorized data manipulation. [1]

Mitigation Strategies

To mitigate this vulnerability, upgrade the AWS SDK for C++ to version 1.11.712 or later. This update includes the implementation of key commitment, which cryptographically binds the encrypted data key (EDK) to the ciphertext, preventing unauthorized replacement of the key. There are no known workarounds, so upgrading to the latest major version is the recommended immediate step. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart