CVE-2025-14764: Amazon S3 Encryption Client has a Key Commitment Issue
S3 Encryption Client for Go is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an “Instruction File” instead of S3’s metadata record, the EDK is exposed to an “Invisible Salamanders” attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
References
- aws.amazon.com/security/security-bulletins/AWS-2025-032
- github.com/advisories/GHSA-3g75-q268-r9r6
- github.com/aws/amazon-s3-encryption-client-go
- github.com/aws/amazon-s3-encryption-client-go/commit/3e1740ec014e234e6d454291615011122e642b5d
- github.com/aws/amazon-s3-encryption-client-go/releases/tag/v4.0.0
- github.com/aws/amazon-s3-encryption-client-go/security/advisories/GHSA-3g75-q268-r9r6
- nvd.nist.gov/vuln/detail/CVE-2025-14764
Code Behaviors & Features
Detect and mitigate CVE-2025-14764 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →