CVE-2025-14761
Bulletin ID: AWS-2025-032 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/17 12:15 PM PST We identify the following CVEs: CVE-2025-14763 - Key Commitment Issues in S3 Encryption Client in Java CVE-2025-14764 - Key Commitment Issues in S3 Encryption Client in Go CVE-2025-14759 - Key Commitment Issues in S3 Encryption Client in .NET CVE-2025-14760 - Key Commitment Issues in S3 Encryption Client in C++ - part of the AWS SDK for C++ CVE-2025-14761 - Key Commitment Issues in S3 Encryption Client in PHP - part of the AWS SDK for PHP CVE-2025-14762 - Key Commitment Issues in S3 Encryption Client in Ruby - part of the AWS SDK for Ruby Description: S3 Encryption Clients for Java, Go, .NET, C++, PHP, and Ruby are open-source client-side encryption libraries used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack, which could allow the EDK to be replaced with a new key. Resolution: - S3 Encryption Client Java: <= 3.5.0 - S3 Encryption Client Go: <= 3.1.0 - S3 Encryption Client .NET: <= 3.1 - AWS SDK for C++: <= 1.11.711 - AWS SDK for PHP: <= 3.367.0 - AWS SDK for Ruby: <= 1.207.0
CSIRTS triage
- What
- Key commitment issues were identified in multiple S3 Encryption Clients.
- Who is affected
- Users of S3 Encryption Clients in Java, Go, .NET, C++, PHP, and Ruby.
- Urgency
- Remediation is important to address potential security weaknesses.
- Action
- Review and update the S3 Encryption Clients to the latest versions.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2025-14761
Get an email if CVE-2025-14761 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 7% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownKey Commitment Issues in S3 Encryption Clientsaws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2025-14761)