Amazon · Amazon S3 Encryption Client For Java · CVE-2025-14763
**Name of the Vulnerable Software and Affected Versions**
Amazon S3 Encryption Client for Java versions prior to 4.0.0
**Description**
A missing cryptographic key commitment in the Amazon S3 Encryption Client for Java could allow a user with write access to an S3 bucket to introduce a new Encryption Data Key (EDK) that decrypts to different plaintext. This is possible when the encrypted data key is stored in an instruction file instead of S3’s metadata record.
**Recommendations**
Upgrade Amazon S3 Encryption Client for Java to version 4.0.0 or later.