CVE-2025-14763
Missing Key Commitment Vulnerability in Amazon S3 Encryption Client
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | amazon_s3_encryption_client | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a key commitment issue in the Amazon S3 Encryption Client for Java versions prior to 3.5. When encrypted data keys (EDKs) are stored in an "Instruction File" instead of S3 metadata, an attacker with write access to the S3 bucket can replace the original EDK with a rogue key. Because the client lacks key commitment, it cannot ensure that the ciphertext decrypts only to the original plaintext. This allows the attacker to cause the client to decrypt the ciphertext into attacker-chosen plaintext, potentially compromising data integrity. Exploitation requires the attacker to generate a rogue EDK and have permission to upload or replace Instruction Files in the bucket. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with write access to your S3 bucket to replace the encrypted data key with a malicious one, causing your encrypted data to be decrypted into attacker-chosen plaintext. This compromises the integrity of your data, potentially leading to unauthorized data manipulation or corruption. However, it does not impact confidentiality or availability. To mitigate this risk, you must upgrade to version 4.0.0 or later of the Amazon S3 Encryption Client for Java, which enforces key commitment to prevent such attacks. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Amazon S3 Encryption Client for Java to version 4.0.0 or later. This version introduces mandatory key commitment algorithm suites that cryptographically bind the encrypted data key to the ciphertext, preventing the attack. Additionally, review and update any custom implementations of CryptographicMaterialsManager and Keyring interfaces to comply with the new API requirements introduced in version 4.0.0. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with write access to an S3 bucket to replace the encrypted data key (EDK) with a rogue key that decrypts to different plaintext, compromising data integrity. This undermines cryptographic assurances that are often required by compliance standards such as GDPR and HIPAA, which mandate strong data protection and integrity controls. The lack of key commitment means encrypted data could be tampered with undetected, potentially leading to non-compliance with these regulations. Upgrading to version 4.0.0 or later, which enforces key commitment and stricter cryptographic standards, helps restore compliance by ensuring cryptographic integrity and preventing such tampering. [1, 2]