VDB
CVE-2025-14764
CVE-2025-14764
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later.
EPSS 0.01% · 1.6th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score
0.01%
1.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | aws/amazon-s3-encryption-client-go/v3 | 0 |
| AWS | S3 Encryption Client for Go | 4.0 |
Timeline
- Dec 16, 2025 CVE ID Reserved
- Dec 17, 2025 CVE Published
- Dec 17, 2025 PoC Published
- Dec 17, 2025 CVE Updated
- Dec 18, 2025 EPSS Score
- Dec 22, 2025 EPSS Score
- Dec 26, 2025 EPSS Score
- Dec 30, 2025 EPSS Score
- Jan 2, 2026 EPSS Score
- Jan 6, 2026 EPSS Score
- Jan 10, 2026 EPSS Score
- Jan 14, 2026 EPSS Score
References
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ vendor-advisory
- https://github.com/aws/amazon-s3-encryption-client-go/security/advisories/GHSA-3g75-q268-r9r6 third-party-advisory
- https://github.com/aws/amazon-s3-encryption-client-go/releases/tag/v4.0.0 patch
- https://nvd.nist.gov/vuln/detail/CVE-2025-14764 advisory
- https://github.com/aws/amazon-s3-encryption-client-go/commit/3e1740ec014e234e6d454291615011122e642b5d url
- https://aws.amazon.com/security/security-bulletins/AWS-2025-032 url
- https://github.com/aws/amazon-s3-encryption-client-go package