CVE-2025-14762
Missing Key Commitment Vulnerability in AWS SDK for Ruby S3 Encryption
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_sdk_for_ruby | * |
| amazon | aws_sdk_s3 | 1.208.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a key commitment issue in the AWS S3 Encryption Client (S3EC) for Ruby versions up to 1.207.0. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3 metadata, an attacker with write access to the S3 bucket can replace the original EDK with a rogue key. This allows the ciphertext to be decrypted into different plaintexts depending on the key used, enabling malicious manipulation of the decrypted data. The root cause is the lack of cryptographic key commitment, which normally ensures that ciphertext can only be decrypted by the original encryption key. The vulnerability is fixed in version 1.208.0 and later by introducing key commitment that binds the EDK to the ciphertext, preventing substitution attacks. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with write access to your S3 bucket to replace the encrypted data key with a rogue key, causing your encrypted data to decrypt into malicious or unintended plaintext. This compromises the integrity of your data, potentially leading to data corruption or unauthorized data manipulation. However, it does not impact confidentiality or availability. To avoid this risk, you must upgrade to AWS SDK for Ruby version 1.208.0 or later. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability specifically affects AWS SDK for Ruby versions up to and including 1.207.0 when using the S3 Encryption Client with encrypted data keys stored in Instruction Files. Detection involves verifying the version of the AWS SDK for Ruby installed in your environment. You can check the installed gem version by running the command: `gem list aws-sdk-s3` or `bundle list | grep aws-sdk-s3`. Additionally, inspect your S3 buckets for usage of Instruction Files for encrypted data keys, which may require custom scripts or AWS CLI commands to audit bucket contents and metadata. However, no specific detection commands for network or system scanning are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the AWS SDK for Ruby to version 1.208.0 or later. This version includes the fix that implements cryptographic key commitment, preventing the substitution attack on encrypted data keys stored in Instruction Files. There are no workarounds; upgrading is the only effective mitigation. [1, 2]