GHSA-72C7-4G63-HPW5
Vulnerability from github – Published: 2025-10-15 20:12 – Updated: 2025-10-16 14:43Impact
This vulnerability only affects users of the AWS attestor.
Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]
There are multiple locations where the verification of the identity document will mistakenly report a successful verification.
-
If a signature is not present or is empty https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163
-
If the RSA verification of the document fails for any reason https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196
Workarounds
The contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the openssl command line as documented in the below reference from AWS.[^2]
However, the certificate containing the public key was hard-coded into the attestor. https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66
Since the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.
Patches
This vulnerability is addressed in go-witness 0.9.1 and witness 0.10.1.
Resources
[^1]: AWS Security Bulletin on IMDS Impersonation [^2]: Verification of instance identity documents
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/in-toto/go-witness"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62375"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T20:12:56Z",
"nvd_published_at": "2025-10-15T20:15:36Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis vulnerability only affects users of the AWS attestor.\n\nUsers of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]\n\nThere are multiple locations where the verification of the identity document will mistakenly report a successful verification.\n\n- If a signature is not present or is empty\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163\n\n- If the RSA verification of the document fails for any reason\nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196\n\n### Workarounds\nThe contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the `openssl` command line as documented in the below reference from AWS.[^2]\n\nHowever, the certificate containing the public key was hard-coded into the attestor. \nhttps://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66\n\nSince the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.\n\n### Patches\nThis vulnerability is addressed in `go-witness` 0.9.1 and `witness` 0.10.1.\n\n### Resources\n[^1]: [AWS Security Bulletin on IMDS Impersonation](https://aws.amazon.com/security/security-bulletins/rss/aws-2025-021/)\n[^2]: [Verification of instance identity documents](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-iid.html#verify-signature)",
"id": "GHSA-72c7-4g63-hpw5",
"modified": "2025-10-16T14:43:47Z",
"published": "2025-10-15T20:12:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62375"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9"
},
{
"type": "PACKAGE",
"url": "https://github.com/in-toto/go-witness"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.