Cryptographic Key Commitment Flaw in Amazon S3 Encryption Client for Go
CVE-2025-14764

6MEDIUM

Key Information:

Vendor

Aws

Status
S3 Encryption Client For Go
Vendor
CVE Published:
17 December 2025

What is CVE-2025-14764?

The Amazon S3 Encryption Client for Go contains a vulnerability related to missing cryptographic key commitment. This issue enables users with write access to the S3 bucket to introduce a new Encryption Data Key (EDK) that can decrypt to unexpected plaintext when the encrypted data key is stored in an 'instruction file' rather than in S3's metadata record. To protect against this vulnerability, users are advised to upgrade to version 3.3 or later of the Amazon S3 Encryption Client for Go.

Affected Version(s)

S3 Encryption Client for Go 4.0

References

https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/aws/amazon-s3-encryption-client-go/sec...
third-party-advisory
https://github.com/aws/amazon-s3-encryption-client-go/rel...
patch

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.