CVE-2025-62375: 
Wolfi vulnerability analysis and mitigation

CVE-2025-62375 affects go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier. The vulnerability was discovered and disclosed on October 15, 2025, impacting the AWS attestor component which improperly verifies AWS EC2 instance identity documents (NVD, GitHub Advisory).

The vulnerability stems from multiple verification failures in the AWS attestor component. Verification can incorrectly succeed in two scenarios: when a signature is not present or is empty, and when RSA signature verification fails. Additionally, the attestor embeds a single legacy global AWS public certificate and does not account for newer region-specific certificates issued in 2024. The vulnerability has been assigned a CVSS 4.0 Base Score of 6.9 (MEDIUM) with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

This vulnerability only affects users of the AWS attestor. Users could unknowingly receive a forged identity document through Instance Metadata Service (IMDS) impersonation. The detection of forged documents is particularly difficult without additional trusted region data, as AWS has moved to region-specific public certificates (GitHub Advisory).

The vulnerability has been patched in go-witness version 0.9.1 and witness version 0.10.1. As a workaround, users can manually verify the included identity document, signature, and public key with standard tools (like openssl) following AWS's verification guidance, or disable use of the AWS attestor until upgraded (NVD).