Missing Cryptographic Key Commitment in AWS SDK for Ruby
CVE-2025-14762

6MEDIUM

Key Information:

Vendor

Aws

Status
Aws Sdk For Ruby
Vendor
CVE Published:
17 December 2025

What is CVE-2025-14762?

The AWS SDK for Ruby, an open-source client-side encryption library, exhibits a vulnerability where a missing cryptographic key commitment could allow a user with write access to an S3 bucket to create a new Encrypted Data Key (EDK). This EDK could potentially decrypt to different plaintext when stored in an 'instruction file', rather than in S3's metadata record. Users are strongly advised to upgrade to version 1.208.0 or later to address this security concern.

Affected Version(s)

AWS SDK for Ruby 1.208.0

References

https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/aws/aws-sdk-ruby/security/advisories/G...
third-party-advisory
https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.