Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-14761

Medium

6/10

Summary

Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. This issue affects versions through 3.367.3. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

References

Advisory
Release Note
Release Note
Pull request

Advisory Timeline

Published Dec 17, 2025

Use of a Broken or Risky Cryptographic Algorithm

CVE-2025-14761

Summary

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS