CVE-2025-64186: Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves
(updated )
A vulnerability was identified in the evervault-go SDK’s attestation verification logic that may allow incomplete documents to pass validation. This may cause the client to trust an enclave operator that does not meet expected integrity guarantees.
The exploitability of this issue is limited in Evervault-hosted environments as an attacker would require the pre-requisite ability to serve requests from specific evervault domain names, following from our ACME challenge based TLS certificate acquisition pipeline.
The vulnerability primarily affects applications which only check PCR8. Though the efficacy is also reduced for applications that check all PCR values, the impact is largely remediated by checking PCR 0, 1 and 2.
References
- github.com/advisories/GHSA-88h9-77c7-p6w4
- github.com/evervault/evervault-go
- github.com/evervault/evervault-go/commit/7c824d289bba11ec0bea46a338023f5b128bbb28
- github.com/evervault/evervault-go/pull/48
- github.com/evervault/evervault-go/security/advisories/GHSA-88h9-77c7-p6w4
- nvd.nist.gov/vuln/detail/CVE-2025-64186
Code Behaviors & Features
Detect and mitigate CVE-2025-64186 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →