CVE-2025-14761: AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
(updated )
S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an “Instruction File” instead of S3’s metadata record, the EDK is exposed to an “Invisible Salamanders” attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
References
- aws.amazon.com/security/security-bulletins/AWS-2025-032
- github.com/FriendsOfPHP/security-advisories/blob/master/aws/aws-sdk-php/CVE-2025-14761.yaml
- github.com/advisories/GHSA-x8cp-jf6f-r4xh
- github.com/aws/aws-sdk-php
- github.com/aws/aws-sdk-php/commit/6827cac70397dca07e6e86f7cf630954ec2bc6bf
- github.com/aws/aws-sdk-php/releases/tag/3.368.0
- github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh
- nvd.nist.gov/vuln/detail/CVE-2025-14761
Code Behaviors & Features
Detect and mitigate CVE-2025-14761 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →