CVE-2025-62375: go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents

October 15, 2025 (updated October 16, 2025)

This vulnerability only affects users of the AWS attestor.

Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]

There are multiple locations where the verification of the identity document will mistakenly report a successful verification.

References

github.com/advisories/GHSA-72c7-4g63-hpw5
github.com/in-toto/go-witness
github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9
github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5
nvd.nist.gov/vuln/detail/CVE-2025-62375

Code Behaviors & Features

Detect and mitigate CVE-2025-62375 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →