CVE-2025-62375: 
Wolfi vulnerability analysis and mitigation

The vulnerability CVE-2025-62375 affects go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier, specifically impacting their AWS attestor functionality. The vulnerability was discovered and disclosed on October 15, 2025, affecting the AWS EC2 instance identity document verification process. The affected software components are Go modules used for generating attestations (NVD, GitHub Advisory).

The vulnerability stems from improper verification of AWS EC2 instance identity documents in the AWS attestor component. The verification process can incorrectly succeed in multiple scenarios: when a signature is not present, when the signature is empty, or when RSA signature verification fails. Additionally, the attestor embeds a single legacy global AWS public certificate and does not account for newer region-specific certificates issued in 2024, making the detection of forged documents difficult without additional trusted region data. The vulnerability has been assigned a CVSS v4.0 Base Score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (NVD, GitHub Advisory).

An attacker who can supply or intercept instance identity document data, such as through Instance Metadata Service (IMDS) impersonation, can cause a forged identity document to be accepted. This can lead to incorrect trust decisions based on the attestation, potentially compromising the security of systems relying on these attestations (GitHub Advisory).

The vulnerability has been patched in go-witness version 0.9.1 and witness version 0.10.1. For users unable to upgrade immediately, a workaround is available: manually verify the included identity document, signature, and public key with standard tools (such as openssl) following AWS's verification guidance, or disable the use of the AWS attestor until upgraded (GitHub Advisory).