Missing Cryptographic Key Commitment in Amazon S3 Encryption Client for Java
CVE-2025-14763

6MEDIUM

Key Information:

Vendor

Aws

Status
S3 Encryption Client For Java
Vendor
CVE Published:
17 December 2025

What is CVE-2025-14763?

The Amazon S3 Encryption Client for Java features a vulnerability stemming from a lack of commitment to the cryptographic key when handling encrypted data keys. This oversight permits users with write access to an S3 bucket to introduce an alternate encryption data key (EDK) through an instruction file, potentially compromising the confidentiality of the encrypted data. To ensure secure data management and prevent unauthorized access, it is crucial to upgrade to version 4.0.0 or later of the Amazon S3 Encryption Client for Java.

Affected Version(s)

S3 Encryption Client for Java 4.0.0

References

https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/aws/amazon-s3-encryption-client-java/s...
third-party-advisory
https://github.com/aws/amazon-s3-encryption-client-java/r...
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.