CVE-2025-14764

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-14764

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14764.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-14764

Aliases

Published

2025-12-17T21:15:53.847Z

Modified

2026-03-14T12:41:40.017258Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.

To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later.

References

Affected packages

Git / github.com/aws/amazon-s3-encryption-client-go

Affected ranges

Type: GIT
Repo: https://github.com/aws/amazon-s3-encryption-client-go
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

73a676b9d5dc51cee0c8ba6a2280bc2c62444c71

Affected versions

v3.*

v3.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14764.json"