VYPR
Get started
← All advisories
Medium severity5.3OSV Advisory· Published Dec 17, 2025· Updated Apr 15, 2026

CVE-2025-14759

CVE-2025-14759

Description

Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record.

To mitigate this issue, upgrade Amazon S3 Encryption Client for .NET to version 3.2.0 or later.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Amazon.Extensions.S3.EncryptionNuGet
< 3.2.03.2.0

Affected products

1

Patches

2
8df49e9a26d0
https://github.com/aws/amazon-s3-encryption-client-dotnetvia osv
6a0272c79347

fix: default credentials bug

https://github.com/aws/amazon-s3-encryption-client-dotnetPhil AsmarDec 17, 2025via ghsa
commit
3 files changed · +23 8
  • src/AmazonS3EncryptionClientBase.cs+3 4 modified
    @@ -112,8 +112,7 @@ internal IAmazonKeyManagementService KMSClient
                         {
                             if (this.S3CryptoConfig.KmsConfig != null)
                             {
-                                kmsClient = new AmazonKeyManagementServiceClient(this.Config.DefaultAWSCredentials, 
-                                    this.S3CryptoConfig.KmsConfig);
+                                kmsClient = new AmazonKeyManagementServiceClient(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, S3CryptoConfig.KmsConfig);
                             }
                             else
                             {
@@ -129,7 +128,7 @@ internal IAmazonKeyManagementService KMSClient
                                     kmsConfig.SetWebProxy(proxySettings);
                                 }
                                 
-                                kmsClient = new AmazonKeyManagementServiceClient(this.Config.DefaultAWSCredentials, kmsConfig);
+                                kmsClient = new AmazonKeyManagementServiceClient(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, kmsConfig);
                             }
                         }
                     }
@@ -146,7 +145,7 @@ internal AmazonS3Client S3ClientForInstructionFile
 	        {
 	            if (s3ClientForInstructionFile == null)
 	            {
-                    s3ClientForInstructionFile = new AmazonS3Client(this.Config.DefaultAWSCredentials, S3CryptoConfig);
+                    s3ClientForInstructionFile = new AmazonS3Client(ExplicitAWSCredentials ?? Config.DefaultAWSCredentials, S3CryptoConfig);
                 }
 	            return s3ClientForInstructionFile;
 	        }
  • test/UnitTests/AmazonS3EncryptionClientTests.cs+10 2 modified
    @@ -3,6 +3,7 @@
 using Amazon.Extensions.S3.Encryption.Primitives;
 using Amazon.KeyManagementService;
 using Amazon.Runtime;
+using Amazon.S3;
 using Xunit;
 
 namespace Amazon.Extensions.S3.Encryption.UnitTests
@@ -82,9 +83,16 @@ public void S3EncryptionClient_AllWrappedClientsInheritBaseConfiguration()
             //= type=test
             //# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
             Assert.Equal(config.RegionEndpoint, client.S3ClientForInstructionFile.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.S3ClientForInstructionFile.Config.DefaultAWSCredentials);
             Assert.Equal(config.RegionEndpoint, client.KMSClient.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.Config.DefaultAWSCredentials);
+                        
+            // Use reflection to get the actual credentials from the s3 and kms clients since ExplicitAWSCredentials is not exposed
+            var s3ClientCredentials = typeof(AmazonS3Client).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.S3ClientForInstructionFile);
+            Assert.Equal(credentials, s3ClientCredentials);
+
+            var kmsClientCredentials = typeof(AmazonKeyManagementServiceClient).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.KMSClient);
+            Assert.Equal(credentials, kmsClientCredentials);
         }
     }
 }
\ No newline at end of file
  • test/UnitTests/AmazonS3EncryptionClientV2Tests.cs+10 2 modified
    @@ -3,6 +3,7 @@
 using Amazon.Extensions.S3.Encryption.Primitives;
 using Amazon.KeyManagementService;
 using Amazon.Runtime;
+using Amazon.S3;
 using Xunit;
 
 namespace Amazon.Extensions.S3.Encryption.UnitTests
@@ -80,9 +81,16 @@ public void S3EncryptionClient_AllWrappedClientsInheritBaseConfiguration()
             //= type=test
             //# If the S3EC accepts SDK client configuration, the configuration MUST be applied to all wrapped SDK clients including the KMS client.
             Assert.Equal(config.RegionEndpoint, client.S3ClientForInstructionFile.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.S3ClientForInstructionFile.Config.DefaultAWSCredentials);
             Assert.Equal(config.RegionEndpoint, client.KMSClient.Config.RegionEndpoint);
-            Assert.Equal(credentials, client.Config.DefaultAWSCredentials);
+                        
+            // Use reflection to get the actual credentials from the s3 and kms clients since ExplicitAWSCredentials is not exposed
+            var s3ClientCredentials = typeof(AmazonS3Client).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.S3ClientForInstructionFile);
+            Assert.Equal(credentials, s3ClientCredentials);
+
+            var kmsClientCredentials = typeof(AmazonKeyManagementServiceClient).GetProperty("ExplicitAWSCredentials", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Instance)?
+                .GetValue(client.KMSClient);
+            Assert.Equal(credentials, kmsClientCredentials);
         }
     }
 }
\ No newline at end of file

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

7

News mentions

0

No linked articles in our index yet.