216.73.217.86

CVE-2025-62375

· Published 15/10/2025 20:15 · Modified 15/10/2025 20:15

Labels: CVE-2025-62375 2025-10-15CVE-2025-62375CWE-295[email protected]

Essential information

Published
15/10/2025 20:15
Modified
15/10/2025 20:15
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor also embeds a single legacy global AWS public certificate and does not account for newer region specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data (such as through Instance Metadata Service impersonation) can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation. This is fixed in go-witness 0.9.1 and witness 0.10.1. As a workaround, manually verify the included identity document, signature, and public key with standard tools (for example openssl) following AWS’s verification guidance, or disable use of the AWS attestor until upgraded.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
go-witness / go-witness cpe:2.3:a:go-witness:go-witness:0.8.6:*:*:*:*:*:*:*
witness / witness cpe:2.3:a:witness:witness:0.9.2:*:*:*:*:*:*:*

References