CVE-2025-14761
📋 TL;DR
This vulnerability in the AWS SDK for PHP allows an attacker with write access to an S3 bucket to manipulate encrypted data keys, potentially causing decryption to produce different plaintext than originally encrypted. It affects PHP applications using the AWS SDK's S3 client-side encryption with instruction files. The risk is limited to scenarios where attackers already have bucket write permissions.
💻 Affected Systems
- AWS SDK for PHP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Data integrity compromise where encrypted files decrypt to malicious content, potentially leading to data corruption, fraud, or system compromise if decrypted content is executed.
Likely Case
Limited data manipulation affecting specific encrypted objects where an attacker with bucket write access can cause decryption inconsistencies.
If Mitigated
Minimal impact with proper access controls limiting bucket write permissions and monitoring for unauthorized changes.
🎯 Exploit Status
Exploitation requires attacker to have write permissions to the S3 bucket and knowledge of the encryption implementation details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.368.0
Vendor Advisory: https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh
Restart Required: No
Instructions:
1. Update composer.json to require "aws/aws-sdk-php": "^3.368.0" 2. Run composer update aws/aws-sdk-php 3. Deploy updated application code 4. Test S3 encryption functionality
🔧 Temporary Workarounds
Disable instruction file usage
allConfigure S3 encryption to store encrypted data keys in metadata instead of instruction files
Modify S3 encryption configuration to use 'metadata' instead of 'instructionFileSuffix'
🧯 If You Can't Patch
- Implement strict IAM policies to limit S3 bucket write permissions to only trusted entities
- Enable S3 bucket versioning and monitor for unexpected object modifications
🔍 How to Verify
Check if Vulnerable:
Check composer.lock or vendor/aws/aws-sdk-php/src/S3/Crypto/HeadersMetadataStrategy.php versionCheck Version:
composer show aws/aws-sdk-php | grep versionsVerify Fix Applied:
Verify aws/aws-sdk-php version is 3.368.0 or higher via composer show aws/aws-sdk-php📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to S3 objects with .instruction extension
- Failed decryption attempts or decryption errors in application logs
Network Indicators:
- Unusual PUT requests to S3 buckets modifying instruction files
SIEM Query:
source="aws.cloudtrail" eventName="PutObject" requestParameters.key="*.instruction"