CVE-2025-64186: 
vulnerability analysis and mitigation

A vulnerability (CVE-2025-64186) was identified in the evervault-go SDK's attestation verification logic in versions prior to 1.3.2. The vulnerability allows incomplete documents to pass validation, potentially causing the client to trust an enclave operator that does not meet expected integrity guarantees. The issue was discovered and disclosed in November 2025, affecting the evervault-go payment security solution SDK (GitHub Advisory).

The vulnerability stems from improper validation of AWS Nitro Enclave attestation documents within the evervault-go SDK. The core issue was a flawed 'naive equality check' in the attestation.PCRs.Equal function that would incorrectly approve an attestation document if some expected Platform Configuration Registers (PCRs) were missing. The CVSS v3.1 score is 8.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N, indicating network attack vector, low attack complexity, and high potential impact on confidentiality and integrity (GitHub Advisory).

The vulnerability primarily affects applications which only check PCR8, potentially allowing attackers to bypass security guarantees in enclave attestation. While the efficacy is reduced for applications that check all PCR values, the impact remains significant for systems not checking PCR 0, 1, and 2. The exploitability is limited in Evervault-hosted environments due to the requirement of having the ability to serve requests from specific evervault domain names (GitHub Advisory).

The vulnerability has been patched in version 1.3.2 by implementing proper validation of attestation documents before storing in the cache and replacing the naive equality checks with a new SatisfiedBy check. For users who cannot upgrade, two workarounds are available: 1) Modify application logic to fail verification if PCR8 is not explicitly present and non-empty, and 2) Add custom pre-validation to reject documents that omit any required PCRs (GitHub Advisory).