CVE-2025-14760
Unknown Unknown - Not Provided
Missing Key Commitment Vulnerability in AWS SDK for C++ S3 Encryption

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: AMZN

Description
Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for C++ to version 1.11.712 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14760
EUVD
EUVD-2025-203941
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
amazon aws_sdk_for_cpp 1.11.712
amazon aws_sdk_for_cpp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a missing cryptographic key commitment in the AWS SDK for C++ S3 Encryption Client. When the encrypted data key (EDK) is stored in an "instruction file" instead of S3's metadata, an attacker with write access to the S3 bucket can replace the EDK with a different key. This allows the attacker to decrypt the data to different plaintext, compromising the integrity of the encrypted data. AWS fixed this by introducing key commitment, which cryptographically binds the EDK to the ciphertext, preventing unauthorized key replacement. [1]

Impact Analysis

If exploited, this vulnerability can allow an attacker with write access to your S3 bucket to replace the encrypted data key with a malicious one. This means the attacker can cause the encrypted data to decrypt to incorrect or malicious plaintext, compromising data integrity and potentially leading to data corruption or unauthorized data manipulation. [1]

Mitigation Strategies

To mitigate this vulnerability, upgrade the AWS SDK for C++ to version 1.11.712 or later. This update includes the implementation of key commitment, which cryptographically binds the encrypted data key (EDK) to the ciphertext, preventing unauthorized replacement of the key. There are no known workarounds, so upgrading to the latest major version is the recommended immediate step. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart