CVE-2025-62375 in go-witness
Summary
by MITRE • 10/15/2025
go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor also embeds a single legacy global AWS public certificate and does not account for newer region specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data (such as through Instance Metadata Service impersonation) can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation. This is fixed in go-witness 0.9.1 and witness 0.10.1. As a workaround, manually verify the included identity document, signature, and public key with standard tools (for example openssl) following AWS’s verification guidance, or disable use of the AWS attestor until upgraded.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability identified as CVE-2025-62375 affects go-witness and witness Go modules, which are designed for generating cryptographic attestations in cloud environments. These modules implement AWS attestors that verify EC2 instance identity documents to establish trust relationships between cloud instances and attestation systems. The flaw resides in the AWS attestor's insufficient validation logic for cryptographic signatures and certificate handling, creating a critical security gap in the attestation process. This vulnerability directly impacts the integrity and authenticity guarantees that these attestations are meant to provide in cloud security infrastructures.
The technical implementation flaw involves multiple verification failures within the AWS attestor component. Specifically, the system accepts identity documents even when signatures are absent or empty, bypassing fundamental cryptographic validation requirements. Additionally, RSA signature verification failures are not properly handled, allowing forged documents to pass validation. The attestor's reliance on a single legacy global AWS public certificate creates a significant weakness since AWS began issuing region-specific certificates in 2024. This outdated certificate approach prevents proper validation of newer certificate formats and makes forged documents extremely difficult to detect without additional trusted region-specific certificate data. The combination of these issues creates a path for attackers to manipulate the attestation process through forged identity documents.
The operational impact of this vulnerability is severe for organizations relying on these modules for cloud security decisions. An attacker who can impersonate the Instance Metadata Service or intercept network traffic can supply forged instance identity documents that will be accepted by systems using vulnerable versions. This leads to incorrect trust decisions where malicious or compromised instances are treated as legitimate, potentially allowing unauthorized access to protected resources. The vulnerability affects the core security mechanism of attestation systems, undermining the trust model that these tools are designed to establish. Organizations using these modules for security automation, compliance verification, or access control decisions face significant risk of security breaches through this validation bypass.
Mitigation strategies for CVE-2025-62375 include immediate upgrading to patched versions go-witness 0.9.1 and witness 0.10.1, which address the signature verification and certificate handling issues. Organizations should also implement manual verification procedures using standard tools like openssl to validate identity documents, signatures, and public keys according to AWS's official verification guidance. The workaround of disabling the AWS attestor entirely until upgraded provides a temporary solution while maintaining system security. Security teams should also monitor for any remaining legacy certificate dependencies in their environments and ensure proper certificate rotation procedures are in place. This vulnerability aligns with CWE-311 (Missing Encryption of Sensitive Data) and CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and maps to ATT&CK technique T1550.001 (Use of Valid Credentials) through the exploitation of forged instance identity documents to gain unauthorized access. The vulnerability demonstrates the critical importance of proper cryptographic validation and certificate management in cloud security systems.