CVE-2025-64186
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64186, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-12

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description

Evervault is a payment security solution. A vulnerability was identified in the `evervault-go` SDK’s attestation verification logic in versions of `evervault-go` prior to 1.3.2 that may allow incomplete documents to pass validation. This may cause the client to trust an enclave operator that does not meet expected integrity guarantees. The exploitability of this issue is limited in Evervault-hosted environments as an attacker would require the pre-requisite ability to serve requests from specific evervault domain names, following from our ACME challenge based TLS certificate acquisition pipeline. The vulnerability primarily affects applications which only check PCR8. Though the efficacy is also reduced for applications that check all PCR values, the impact is largely remediated by checking PCR 0, 1 and 2. The identified issue has been addressed in version 1.3.2 by validating attestation documents before storing in the cache, and replacing the naive equality checks with a new SatisfiedBy check. Those who useevervault-go to attest Enclaves that are hosted outside of Evervault environments and cannot upgrade have two possible workarounds available. Modify the application logic to fail verification if PCR8 is not explicitly present and non-empty and/or add custom pre-validation to reject documents that omit any required PCRs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-12
Last Modified
2026-02-13
Generated
2026-07-06
AI Q&A
2025-11-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
evervault evervault to 1.3.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the evervault-go SDK's attestation verification logic before version 1.3.2. It may allow incomplete attestation documents to pass validation, causing the client to trust an enclave operator that does not meet expected integrity guarantees. The issue mainly affects applications that only check PCR8, and is less effective if other PCR values (0, 1, and 2) are checked. The vulnerability has been fixed in version 1.3.2 by improving document validation and verification checks.

Impact Analysis

If exploited, this vulnerability could cause your application to trust an enclave operator that does not meet expected integrity guarantees, potentially compromising the security of your payment processing or sensitive data. However, exploitation is limited in Evervault-hosted environments because an attacker would need the ability to serve requests from specific Evervault domain names. The impact is greater if your application only checks PCR8 during attestation verification.

Mitigation Strategies

Upgrade the evervault-go SDK to version 1.3.2 or later, which addresses the vulnerability by validating attestation documents before caching and replacing naive equality checks with a SatisfiedBy check. If upgrading is not possible for enclaves hosted outside Evervault environments, modify application logic to fail verification if PCR8 is not explicitly present and non-empty, and/or add custom pre-validation to reject attestation documents that omit any required PCRs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart