CVE-2025-14760
Missing Key Commitment Vulnerability in AWS SDK for C++ S3 Encryption
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_sdk_for_cpp | 1.11.712 |
| amazon | aws_sdk_for_cpp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a missing cryptographic key commitment in the AWS SDK for C++ S3 Encryption Client. When the encrypted data key (EDK) is stored in an "instruction file" instead of S3's metadata, an attacker with write access to the S3 bucket can replace the EDK with a different key. This allows the attacker to decrypt the data to different plaintext, compromising the integrity of the encrypted data. AWS fixed this by introducing key commitment, which cryptographically binds the EDK to the ciphertext, preventing unauthorized key replacement. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with write access to your S3 bucket to replace the encrypted data key with a malicious one. This means the attacker can cause the encrypted data to decrypt to incorrect or malicious plaintext, compromising data integrity and potentially leading to data corruption or unauthorized data manipulation. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the AWS SDK for C++ to version 1.11.712 or later. This update includes the implementation of key commitment, which cryptographically binds the encrypted data key (EDK) to the ciphertext, preventing unauthorized replacement of the key. There are no known workarounds, so upgrading to the latest major version is the recommended immediate step. [1]