CVE-2025-14761
Unknown Unknown - Not Provided
Missing Key Commitment Vulnerability in AWS SDK for PHP S3 Encryption

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: AMZN

Description
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14761
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
amazon aws_sdk_for_php 3.367.0
amazon aws_sdk_for_php 3.368.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a key commitment issue in the AWS SDK for PHP's S3 Encryption Client (S3EC). When encrypted data keys (EDKs) are stored in an "Instruction File" instead of S3 metadata, an attacker with write access to the S3 bucket can replace the original EDK with a rogue key. Because the system lacks key commitment, the ciphertext can be decrypted into different plaintexts using different keys. This allows the attacker to cause decryptions to produce attacker-controlled plaintext without detection. The vulnerability requires the attacker to upload a new Instruction File with the rogue EDK. AWS fixed this by adding cryptographic key commitment in version 3.368.0 and later. [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker with write access to your S3 bucket to manipulate encrypted data. Specifically, they can replace the encrypted data key with a rogue key that decrypts the ciphertext to attacker-chosen plaintext. This compromises the integrity of your encrypted data, potentially leading to unauthorized data manipulation or corruption without detection. However, it does not impact confidentiality or availability. [1]

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability. Detection would involve verifying the version of AWS SDK for PHP in use, ensuring it is version 3.368.0 or later, as earlier versions are vulnerable. Since the vulnerability involves the use of 'Instruction Files' for encrypted data keys and requires write access to the S3 bucket, monitoring for unauthorized changes to Instruction Files in S3 buckets and auditing write permissions could help detect potential exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the AWS SDK for PHP to version 3.368.0 or later, which includes fixes that implement key commitment to prevent this vulnerability. There are no workarounds available, so upgrading is essential. Additionally, reviewing and restricting write access permissions to S3 buckets to prevent unauthorized modification of Instruction Files can help reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart