Cryptographic Key Commitment Flaw in Amazon S3 Encryption Client for Go
CVE-2025-14764
6MEDIUM
What is CVE-2025-14764?
The Amazon S3 Encryption Client for Go contains a vulnerability related to missing cryptographic key commitment. This issue enables users with write access to the S3 bucket to introduce a new Encryption Data Key (EDK) that can decrypt to unexpected plaintext when the encrypted data key is stored in an 'instruction file' rather than in S3's metadata record. To protect against this vulnerability, users are advised to upgrade to version 3.3 or later of the Amazon S3 Encryption Client for Go.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
S3 Encryption Client for Go 4.0
References
CVSS V4
Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved