CVE-2025-14762: AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue
(updated )
S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an “Instruction File” instead of S3’s metadata record, the EDK is exposed to an “Invisible Salamanders” attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
References
- aws.amazon.com/security/security-bulletins/AWS-2025-032
- github.com/advisories/GHSA-2xgq-q749-89fq
- github.com/aws/aws-sdk-ruby
- github.com/aws/aws-sdk-ruby/commit/b633ba10cd2fbc4cc770b76ab531ed9647654044
- github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq
- github.com/rubysec/ruby-advisory-db/blob/master/gems/aws-sdk-s3/CVE-2025-14762.yml
- nvd.nist.gov/vuln/detail/CVE-2025-14762
- rubygems.org/gems/aws-sdk-s3/versions/1.208.0
Code Behaviors & Features
Detect and mitigate CVE-2025-14762 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →