Improper Verification of AWS EC2 Instance Identity Documents in Go Modules
CVE-2025-62375

6.9MEDIUM

Key Information:

Vendor: In-toto
Status: Go-witness
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-62375?

The go-witness and witness modules have a critical flaw in the AWS attestor's method for verifying AWS EC2 instance identity documents. Specifically, in versions go-witness 0.8.6 and earlier, and witness 0.9.2 and earlier, the verification process may wrongly confirm a document's authenticity even in absence of a signature or if RSA signature validation fails. Moreover, the attestor integrates a legacy AWS public certificate, neglecting newly issued region-specific certificates from 2024, complicating the detection of forged documents. Consequently, attackers capable of injecting or intercepting instance identity document data could introduce counterfeit documents, resulting in erroneous trust assessments. Upgrades to go-witness 0.9.1 and witness 0.10.1 address these issues, with manual verification recommended as a temporary mitigation.

Affected Version(s)

go-witness < 0.9.1

References

https://github.com/in-toto/go-witness/security/advisories...

x_refsource_CONFIRM

https://github.com/in-toto/go-witness/commit/04ff20b600e2...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Oct 10, 2025

JSON

In-toto

What is CVE-2025-62375?

Affected Version(s)

References

CVSS V4

Timeline