CVE-2025-14761
cryptographic bypass vulnerability in aws/aws-sdk-php (Packagist)
What is CVE-2025-14761 About?
This vulnerability in S3 Encryption Client for PHP allows for a cryptographic bypass due to a lack of key commitment when using instruction files. An attacker can replace the encrypted data key (EDK), which may lead to decryption with a different plaintext. Exploitation requires specific conditions, including the ability to upload a rogue instruction file.
Affected Software
Technical Details
The vulnerability occurs when an 'Instruction File' is used to store the Encrypted Data Key (EDK) instead of S3's metadata. In older versions of S3EC, key commitment is not implemented for this configuration, meaning multiple EDKs can be associated with a single encrypted object. An attacker who can (i) create a rogue EDK that decrypts the underlying object to a desired plaintext and (ii) has permission to upload a new instruction file to the S3 bucket to replace the existing one, can mount an 'Invisible Salamanders' attack. This results in future decryption attempts unwittingly using the attacker's EDK to produce an altered plaintext.
What is the Impact of CVE-2025-14761?
Successful exploitation may allow attackers to bypass cryptographic integrity, leading to data manipulation or unauthorized modification of encrypted content without detection.
What is the Exploitability of CVE-2025-14761?
Exploitation is complex, requiring specific conditions and capabilities from an attacker. Prerequisites include the ability to generate a valid rogue Encrypted Data Key (EDK) that can decrypt the targeted ciphertext to a chosen plaintext. Crucially, the attacker must also possess sufficient privileges to upload a modified 'instruction file' to the S3 bucket, replacing the legitimate one. This typically implies authenticated access with write permissions to the bucket where the encrypted objects and their instruction files are stored. The attack is remote in nature, but heavily reliant on the attacker having prior control over the storage environment or valid credentials. The risk factors that increase exploitation likelihood include overly permissive access control lists on S3 buckets and a lack of monitoring for instruction file modifications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-14761?
Available Upgrade Options
- aws/aws-sdk-php
- <3.368.0 → Upgrade to 3.368.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/aws/aws-sdk-php/releases/tag/3.368.0
- https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh
- https://osv.dev/vulnerability/GHSA-x8cp-jf6f-r4xh
- https://nvd.nist.gov/vuln/detail/CVE-2025-14761
- https://github.com/aws/aws-sdk-php/releases/tag/3.368.0
- https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh
- https://github.com/aws/aws-sdk-php/commit/6827cac70397dca07e6e86f7cf630954ec2bc6bf
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032/
- https://github.com/aws/aws-sdk-php
What are Similar Vulnerabilities to CVE-2025-14761?
Similar Vulnerabilities: CVE-2021-27513 , CVE-2020-5636 , CVE-2016-1000338 , CVE-2018-0498 , CVE-2018-0495
