CVE-2025-64186

Name of the Vulnerable Software and Affected Versions Evervault-go versions prior to 1.3.2

Description A flaw exists in the attestation verification logic of the evervault-go SDK. This issue could allow incomplete documents to pass validation, potentially leading a client to trust an enclave operator that does not meet the expected integrity guarantees. The exploitability of this issue is limited in Evervault-hosted environments, as an attacker would need the ability to serve requests from specific Evervault domain names. The vulnerability primarily impacts applications that only check PCR8. Checking PCR 0, 1, and 2 largely mitigates the impact, even for applications that check all PCR values. The issue involves the SDK’s handling of attestation documents and equality checks. The verifyPCRs function is involved in the process.

Recommendations Versions prior to 1.3.2 should be upgraded to version 1.3.2, which validates attestation documents before caching and replaces naive equality checks with a SatisfiedBy check. If upgrading is not immediately possible for Enclaves hosted outside of Evervault environments, modify application logic to fail verification if PCR8 is not explicitly present and non-empty, or add custom pre-validation to reject documents that omit any required PCRs.