CVE-2025-14761Use of a Broken or Risky Cryptographic Algorithm in Aws-sdk-php

CWE-327Use of a Broken or Risky Cryptographic Algorithm7 documents5 sources
Severity
6.0MEDIUMNVD
EPSS
0.0%
top 94.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
AWS Aws-sdk-php
Timeline
PublishedDec 17
Latest updateDec 18

Description

Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

Packagistaws/aws-sdk-php< 3.368.0

🔴Vulnerability Details

4
GHSA
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue2025-12-18
OSV
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue2025-12-18
OSV
CVE-2025-14761: Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts t2025-12-17
CVEList
CVE-2025-14761: Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts t2025-12-17

🕵️Threat Intelligence

2
Wiz
CVE-2025-14761 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
GHSA-27qh-8cxx-2cr5 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14761 — AWS Aws-sdk-php vulnerability | cvebase