Amazon Web Services Latest Security Bulletins

Bulletin ID: AWS-2025-032 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/17 12:15 PM PST We identify the following CVEs: CVE-2025-14763 – Key Commitment Issues in S3 Encryption Client in Java CVE-2025-14764 – Key Commitment Issues in S3 Encryption Client in Go CVE-2025-14759 – Key Commitment Issues in S3 Encryption Client in .NET CVE-2025-14760 – Key Commitment Issues in S3 Encryption Client in C++ – part of the AWS SDK for C++ CVE-2025-14761 – Key Commitment Issues in S3 Encryption Client in PHP – part of the AWS SDK for PHP CVE-2025-14762 – Key Commitment Issues in S3 Encryption Client in Ruby – part of the AWS SDK for Ruby Description: S3 Encryption Clients for Java, Go, .NET, C++, PHP, and Ruby are open-source client-side encryption libraries used to facilitate writing and reading encrypted records to S3. When the encrypted data key (EDK) is stored in an “Instruction File” instead of S3’s metadata record, the EDK is exposed to an “Invisible Salamanders” attack, which could allow the EDK to be replaced with a new key. Resolution: – S3 Encryption Client Java: <= 3.5.0 – S3 Encryption Client Go: <= 3.1.0 – S3 Encryption Client .NET: <= 3.1 – AWS SDK for C++: <= 1.11.711 – AWS SDK for PHP: <= 3.367.0 – AWS SDK for Ruby: <= 1.207.0

Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1

Bulletin ID: AWS-2025-030 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/03 20:00 PM PST Description: AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution on affected applications servers. AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182. Customers using managed AWS services are not affected, and no action is required. Customers running an affected version of React or Next.js in their own environments should update to the latest patched versions immediately: – Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1 – Customers using Next.js 15-16 with App Router should update to a patched version

Bulletin ID: AWS-2025-029 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/21 12:15 PM PDT Description: AWS Wickr is an end-to-end encrypted service that helps organizations communicate securely through messaging, voice and video calling, file sharing, and screen sharing. We identified CVE-2025-13524, which describes an issue in the Wickr calling service. Under certain conditions, which require the affected user to take a particular action within the application, the user’s audio stream remains open after they close their call window. This could result in audio from the affected user’s device continuing to stream unexpectedly to other call participants until those users drop the call, the affected user joins another call, or the affected user terminates their application. Impacted versions: AWS Wickr, Wickr Gov and Wickr Enterprise desktop (Windows, Mac and Linux) versions prior to 6.62.13.

Bulletin ID: AWS-2025-028 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/10 10:15 AM PDT Description: Amazon Aurora PostgreSQL a fully managed relational database engine that’s compatible with PostgreSQL. We identified CVE-2025-12967, an issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. Impacted versions: – AWS JDBC Wrapper <2.6.5 – AWS Go Wrapper <2025-10-17 – AWS NodeJS Wrapper <2.0.1 – AWS Python Wrapper <1.4.0 – AWS ODBC driver <1.0.1

Bulletin ID: AWS-2025-027 Scope: Amazon Content Type: Important (requires attention) Publication Date: 2025/11/7 10:15 AM PDT Description: Amazon’s Ion-C is a library for the C language that is used to read and write Amazon Ion data. We Identified CVE-2025-12829, which describes an uninitialized stack read issue in Ion-C versions < v1.1.4 that may allow a threat actor to craft data and serialize it to Ion text in such a way that sensitive data in memory could be exposed through UTF-8 escape sequences. Impacted versions: < v1.1.4

Bulletin ID: AWS-2025-026 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/6 09:15 AM PDT Description: Research and Engineering Studio on AWS (RES) is an open source, easy-to-use web-based portal for administrators to create and manage secure cloud-based research and engineering environments. We identified CVE-2025-12815, in which an ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another user’s active desktop session metadata, including periodical desktop preview screenshots. Impacted versions: < 2025.09

Bulletin ID: AWS-2025-025 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/5 13:20 PM PDT Description: We identified CVE-2025-12779, which describes an issue in the Amazon WorkSpaces client for Linux . Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace. We have proactively communicated with customers regarding the end of support for the impacted client versions. Impacted versions: Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8

Bulletin ID: AWS-2025-024 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/11/5 8:45 PM PDT CVE Identifiers: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 AWS is aware of recently disclosed security issues affecting the runc component of several open source container management systems (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) when launching new containers. AWS does not consider containers a security boundary, and does not utilize containers to isolate customers from each other. There is no cross-customer risk from these issues. AWS customers that utilize containers to isolate workloads within their own self-managed environments are strongly encouraged to contact their operating system vendor for any updates or instructions necessary to mitigate any potential concerns arising from these issues. With the exception of the AWS services listed below, no customer action is required to address this issue. As a best practice, AWS always recommends that you apply all security patches and software version updates. Affected services: Amazon Linux Bottlerocket Amazon Elastic Container Service (ECS) Amazon Elastic Kubernetes Service (EKS) AWS Elastic Beanstalk Finch AWS Deep Learning AMI AWS Batch Amazon SageMaker