CVE-2025-14761
published 2025-12-17CVE-2025-14761: Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to…
PriorityP430medium5.3CVSS 3.1
AVNACHPRLUINSUCNIHAN
EPSS
0.18%
7.4th percentile
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aws | aws-sdk-php | >= 0 < 3.368.0 | 3.368.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
ghsa·2025-12-18
CVE-2025-14761 [MEDIUM] CWE-327 AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
## Summary
S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
## Impact
### Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an en
OSV
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
osv·2025-12-18
CVE-2025-14761 [MEDIUM] AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
## Summary
S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
## Impact
### Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an en
OSV
CVE-2025-14761: Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts t
osv·2025-12-17·CVSS 6.0
CVE-2025-14761 [MEDIUM] CVE-2025-14761: Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts t
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-14761 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-14761 [MEDIUM] CVE-2025-14761 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14761 :
PHP vulnerability analysis and mitigation
Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.
To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later
Source : NVD
## 6
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.0
Affected Technologies
PHP
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nextcloud-server-31
nextcloud-server-32
Sources
Wiz
GHSA-27qh-8cxx-2cr5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-27qh-8cxx-2cr5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-27qh-8cxx-2cr5 :
AWS SDK for PHP vulnerability analysis and mitigation
## Summary
This notification is related to the CloudFront signing utilities in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.
## Impact
The CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application's intended access restrictions. While the SDK was functioning safely within the requirements of the sha
2025-12-17
Published