CVE-2025-14761
Missing Key Commitment Vulnerability in AWS SDK for PHP S3 Encryption
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_sdk_for_php | 3.367.0 |
| amazon | aws_sdk_for_php | 3.368.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a key commitment issue in the AWS SDK for PHP's S3 Encryption Client (S3EC). When encrypted data keys (EDKs) are stored in an "Instruction File" instead of S3 metadata, an attacker with write access to the S3 bucket can replace the original EDK with a rogue key. Because the system lacks key commitment, the ciphertext can be decrypted into different plaintexts using different keys. This allows the attacker to cause decryptions to produce attacker-controlled plaintext without detection. The vulnerability requires the attacker to upload a new Instruction File with the rogue EDK. AWS fixed this by adding cryptographic key commitment in version 3.368.0 and later. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with write access to your S3 bucket to manipulate encrypted data. Specifically, they can replace the encrypted data key with a rogue key that decrypts the ciphertext to attacker-chosen plaintext. This compromises the integrity of your encrypted data, potentially leading to unauthorized data manipulation or corruption without detection. However, it does not impact confidentiality or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network/system detection methods provided for this vulnerability. Detection would involve verifying the version of AWS SDK for PHP in use, ensuring it is version 3.368.0 or later, as earlier versions are vulnerable. Since the vulnerability involves the use of 'Instruction Files' for encrypted data keys and requires write access to the S3 bucket, monitoring for unauthorized changes to Instruction Files in S3 buckets and auditing write permissions could help detect potential exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the AWS SDK for PHP to version 3.368.0 or later, which includes fixes that implement key commitment to prevent this vulnerability. There are no workarounds available, so upgrading is essential. Additionally, reviewing and restricting write access permissions to S3 buckets to prevent unauthorized modification of Instruction Files can help reduce risk. [1, 2]