VDB
CVE-2025-14763
CVE-2025-14763
PUBLISHED
CVSS 6 MEDIUM
Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Java to version 4.0.0 or later.
EPSS 0.01% · 1.6th percentile
Risk Scores
CVSS v4.0
6
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.01%
1.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| AWS | S3 Encryption Client for Java | 4.0.0 |
| Maven | software.amazon.encryption.s3:amazon-s3-encryption-client-java | 0 |
Timeline
- Dec 16, 2025 CVE ID Reserved
- Dec 17, 2025 CVE Published
- Dec 17, 2025 PoC Published
- Dec 17, 2025 CVE Updated
- Dec 18, 2025 EPSS Score
- Dec 22, 2025 EPSS Score
- Dec 26, 2025 EPSS Score
- Dec 30, 2025 EPSS Score
- Jan 2, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ vendor-advisory
- https://github.com/aws/amazon-s3-encryption-client-java/security/advisories/GHSA-x44p-gvrj-pj2r third-party-advisory
- https://github.com/aws/amazon-s3-encryption-client-java/releases/tag/v4.0.0 patch
- https://nvd.nist.gov/vuln/detail/CVE-2025-14763 advisory
- https://github.com/aws/amazon-s3-encryption-client-java/commit/9d4523edbbc249781b3b3b3f8868fad39c5673d5 url
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032 url
- https://github.com/aws/amazon-s3-encryption-client-java package