Listen to this Post
The vulnerability is a missing key commitment flaw in the S3 Encryption Client for PHP. When the library’s `InstructionFileMetadataStrategy` is used, the Encrypted Data Key (EDK) is stored in a separate file in the S3 bucket, not bound to the ciphertext. This absence of cryptographic binding allows a single ciphertext to be decrypted into different plaintexts using different keys, known as an “Invisible Salamanders” attack. An attacker with write permissions to the bucket can upload a malicious instruction file containing a rogue EDK. Any subsequent decryption by the client will use this rogue key, unknowingly producing plaintext chosen by the attacker instead of the original data.
DailyCVE Form
Platform: AWS SDK
Version: <= 3.367.0
Vulnerability: Key commitment
Severity: 5.3 MEDIUM
date: 2025-12-17
Prediction: Patched available
What Undercode Say
$encryptionClient = new S3EncryptionClientV3($s3Client); $result = $encryptionClient->putObject([ '@MaterialsProvider' => $materialsProvider, '@CipherOptions' => ['Cipher' => 'gcm'], '@CommitmentPolicy' => 'REQUIRE_ENCRYPT_REQUIRE_DECRYPT', 'Bucket' => $bucket, 'Key' => $key, 'Body' => $body, ]);
How Exploit
- Attacker gains write access to the target S3 bucket.
- Attacker crafts a rogue Encrypted Data Key (EDK) that decrypts the existing ciphertext to malicious plaintext.
- Attacker uploads a new instruction file, replacing the legitimate EDK with the rogue one.
- The client decrypts the file using the attacker’s EDK, returning falsified data.
Protection from this CVE
Upgrade to version 3.368.0+.
Use `@CommitmentPolicy: REQUIRE_ENCRYPT_REQUIRE_DECRYPT`.
Restrict S3 bucket write permissions.
Use `HeadersMetadataStrategy` (default) over instruction files.
Impact
Integrity: High – Data can be maliciously altered.
Confidentiality: None – Original data is not exposed.
Availability: None – Service operation is unaffected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
