CVE-2025-62375

Name of the Vulnerable Software and Affected Versions go-witness versions 0.8.6 and earlier witness versions 0.9.2 and earlier

Description The AWS attestor in go-witness and witness improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor embeds a single legacy global AWS public certificate and does not account for newer region-specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation.

Recommendations Update go-witness to version 0.9.1 or later. Update witness to version 0.10.1 or later. Manually verify the included identity document, signature, and public key with standard tools following AWS’s verification guidance. Disable use of the AWS attestor until upgraded.