CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-14764

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: AWS-2025-032 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/17 12:15 PM PST We identify the following CVEs: CVE-2025-14763 - Key Commitment Issues in S3 Encryption Client in Java CVE-2025-14764 - Key Commitment Issues in S3 Encryption Client in Go CVE-2025-14759 - Key Commitment Issues in S3 Encryption Client in .NET CVE-2025-14760 - Key Commitment Issues in S3 Encryption Client in C++ - part of the AWS SDK for C++ CVE-2025-14761 - Key Commitment Issues in S3 Encryption Client in PHP - part of the AWS SDK for PHP CVE-2025-14762 - Key Commitment Issues in S3 Encryption Client in Ruby - part of the AWS SDK for Ruby Description: S3 Encryption Clients for Java, Go, .NET, C++, PHP, and Ruby are open-source client-side encryption libraries used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack, which could allow the EDK to be replaced with a new key. Resolution: - S3 Encryption Client Java: <= 3.5.0 - S3 Encryption Client Go: <= 3.1.0 - S3 Encryption Client .NET: <= 3.1 - AWS SDK for C++: <= 1.11.711 - AWS SDK for PHP: <= 3.367.0 - AWS SDK for Ruby: <= 1.207.0

CSIRTS triage

What
Key commitment issues were identified in multiple S3 Encryption Clients.
Who is affected
Users of S3 Encryption Clients in Java, Go, .NET, C++, PHP, and Ruby.
Urgency
Remediation is important to address potential security weaknesses.
Action
Review and update the S3 Encryption Clients to the latest versions.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2025-14764

Get an email if CVE-2025-14764 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2025-14764

CVE.org record

Embed the live status

CVE-2025-14764 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-14764 status](https://www.csirts.com/badge/CVE-2025-14764)](https://www.csirts.com/cve/CVE-2025-14764)