CVE-2025-15467 in OpenSSL 3.0.16

[frittsy]

Describe the bug

Update OpenSSL to 3.0.19 to address CVE-2025-15467

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

OpenSSL is updated to a version that does not contain the CVE

Current Behavior

AWS CLI contains a version of OpenSSL with the CVE

Reproduction Steps

N/A

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.33.5

Environment details (OS name and version, etc.)

Linux, Windows, macOS

[adev-code]

Hello @frittsy, thanks for reaching out and bringing this issue. We have confirmed that the AWS CLI is not affected by the CVEs listed in https://openssl-library.org/news/secadv/20260127.txt, and customers do not need to take any action to mitigate them. However, we understand that some security scanners may flag these due to the current dependency. We will be updating the bundled OpenSSL version which includes fixes for these CVEs.

[benjnicholls]

Scanners specifically flag (at least on Windows) the libcrypto-3.dll and the libssl-3.dll. There are a number of similar CVEs that would be fixed by upgrading from 3.0.18 to 3.0.19. Namely the below:

CVE-2026-22796, CVE-2026-22795, CVE-2025-69421, CVE-2025-69420, CVE-2025-69419, CVE-2025-69418, CVE-2025-68160, CVE-2025-15467

[adev-code]

@benjnicholls thanks for reply. We do not have an ETA yet on when the upgrade will be done. Although moving forward, please CLI v2 changelog for updates.

[benjnicholls]

Okay that makes sense. It appears to be from cpython itself. I haven't found a release which has a dll older than 3.0.18 yet.

[adev-code]

@benjnicholls, yes. For Windows and Mac, the OpenSSL patch relies on CPython itself. The current Python interpreter used for CLI v2 is 3.13.11, which uses OpenSSL 3.0.18 bundled with Python 3.13.8.

For Linux, you can track the patch in this PR Add changelog entry for OpenSSL 1.1.1ze Linux Installers Upgrade.