CVE-2025-64186: 
脆弱性の分析と軽減

A vulnerability was identified in the Evervault payment security solution's evervault-go SDK attestation verification logic in versions prior to 1.3.2. The vulnerability (CVE-2025-64186) was discovered and disclosed in November 2025, affecting the SDK's ability to properly validate incomplete attestation documents. This could potentially allow an enclave operator that does not meet expected integrity guarantees to be trusted by the client (GitHub Advisory).

The vulnerability stems from unsound PCR (Platform Configuration Register) validation checks in the SDK's attestation verification logic. The issue specifically affects the validation of attestation documents that might omit expected PCRs, particularly PCR8. The vulnerability has been assigned a CVSS v3.1 base score of 8.7 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, indicating network attack vector, low attack complexity, high privileges required, and potential for high impact on confidentiality and integrity (GitHub Advisory).

The vulnerability could allow attackers to bypass integrity guarantees in non-Evervault hosted environments. While the exploitability is limited in Evervault-hosted environments due to domain-specific ACME challenge-based TLS certificate acquisition pipeline requirements, applications that only check PCR8 are primarily affected. The impact is partially mitigated for applications that check all PCR values, particularly PCR 0, 1, and 2 (GitHub Advisory).

The vulnerability has been patched in version 1.3.2 of the evervault-go SDK, which implements proper validation of attestation documents before cache storage and replaces naive equality checks with a new SatisfiedBy check. For users unable to upgrade, two workarounds are available: 1) Modify application logic to fail verification if PCR8 is not explicitly present and non-empty, and 2) Add custom pre-validation to reject documents that omit any required PCRs (GitHub Advisory).