CVE-2025-14763: Amazon S3 Encryption Client for Java has a Key Commitment Issue
S3 Encryption Client for Java is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an “Instruction File” instead of S3’s metadata record, the EDK is exposed to an “Invisible Salamanders” attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
References
- aws.amazon.com/security/security-bulletins/AWS-2025-032
- github.com/advisories/GHSA-x44p-gvrj-pj2r
- github.com/aws/amazon-s3-encryption-client-java
- github.com/aws/amazon-s3-encryption-client-java/commit/9d4523edbbc249781b3b3b3f8868fad39c5673d5
- github.com/aws/amazon-s3-encryption-client-java/releases/tag/v4.0.0
- github.com/aws/amazon-s3-encryption-client-java/security/advisories/GHSA-x44p-gvrj-pj2r
- nvd.nist.gov/vuln/detail/CVE-2025-14763
Code Behaviors & Features
Detect and mitigate CVE-2025-14763 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →