CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Key Commitment Issues in S3 Encryption Clients

unknownCVE-2025-14763CVE-2025-14764CVE-2025-14759CVE-2025-14760CVE-2025-14761CVE-2025-14762
Bulletin ID: AWS-2025-032 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/17 12:15 PM PST We identify the following CVEs: CVE-2025-14763 - Key Commitment Issues in S3 Encryption Client in Java CVE-2025-14764 - Key Commitment Issues in S3 Encryption Client in Go CVE-2025-14759 - Key Commitment Issues in S3 Encryption Client in .NET CVE-2025-14760 - Key Commitment Issues in S3 Encryption Client in C++ - part of the AWS SDK for C++ CVE-2025-14761 - Key Commitment Issues in S3 Encryption Client in PHP - part of the AWS SDK for PHP CVE-2025-14762 - Key Commitment Issues in S3 Encryption Client in Ruby - part of the AWS SDK for Ruby Description: S3 Encryption Clients for Java, Go, .NET, C++, PHP, and Ruby are open-source client-side encryption libraries used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack, which could allow the EDK to be replaced with a new key. Resolution: - S3 Encryption Client Java: <= 3.5.0 - S3 Encryption Client Go: <= 3.1.0 - S3 Encryption Client .NET: <= 3.1 - AWS SDK for C++: <= 1.11.711 - AWS SDK for PHP: <= 3.367.0 - AWS SDK for Ruby: <= 1.207.0

CSIRTS triage

What
Key commitment issues were identified in multiple S3 Encryption Clients.
Who is affected
Users of S3 Encryption Clients in Java, Go, .NET, C++, PHP, and Ruby.
Urgency
Remediation is important to address potential security weaknesses.
Action
Review and update the S3 Encryption Clients to the latest versions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch S3 Encryption Clients

Get an email when a new S3 Encryption Clients advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-032/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-14763coverage & exploitation statusNVD · CVE.org
CVE-2025-14764coverage & exploitation statusNVD · CVE.org
CVE-2025-14759coverage & exploitation statusNVD · CVE.org
CVE-2025-14760coverage & exploitation statusNVD · CVE.org
CVE-2025-14761coverage & exploitation statusNVD · CVE.org
CVE-2025-14762coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins