CVE-2025-62375
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor also embeds a single legacy global AWS public certificate and does not account for newer region specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data (such as through Instance Metadata Service impersonation) can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation. This is fixed in go-witness 0.9.1 and witness 0.10.1. As a workaround, manually verify the included identity document, signature, and public key with standard tools (for example openssl) following AWS’s verification guidance, or disable use of the AWS attestor until upgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-05-07
AI Q&A
2025-10-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62375
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
in-toto go-witness 0.8.6
in-toto witness 0.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the AWS attestor in go-witness (<=0.8.6) and witness (<=0.9.2) Go modules, which improperly verify AWS EC2 instance identity documents. The verification can incorrectly succeed even when the signature is missing, empty, or when RSA signature verification fails. Additionally, the attestor uses a single legacy global AWS public certificate and does not recognize newer region-specific certificates issued in 2024. This flaw allows an attacker who can supply or intercept instance identity document data (e.g., via Instance Metadata Service impersonation) to have forged identity documents accepted, leading to incorrect trust decisions based on the attestation.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to present forged AWS EC2 instance identity documents that are accepted as valid. This can lead to incorrect trust decisions, potentially allowing unauthorized access or actions based on false attestations of instance identity. This undermines the security of systems relying on these attestations for authentication or authorization.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by manually verifying the included AWS EC2 instance identity document, its signature, and the public key using standard tools such as openssl, following AWS's verification guidance. There are no specific commands provided, but using openssl to check the signature validity against trusted certificates is recommended.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading to go-witness version 0.9.1 or later, or witness version 0.10.1 or later. As a workaround, you can manually verify the identity document, signature, and public key with standard tools like openssl following AWS's verification guidance, or disable the use of the AWS attestor until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart