Vulnerability in Evervault's Payment Security SDK May Allow Invalid Document Validation
CVE-2025-64186

8.7HIGH

Key Information:

Vendor

Evervault

Status
Evervault-go
Vendor
CVE Published:
12 November 2025

What is CVE-2025-64186?

A vulnerability has been identified in the attestation verification logic of Evervault's evervault-go SDK, specifically in versions prior to 1.3.2. This issue may allow incomplete attestation documents to bypass validation, leading clients to mistakenly trust enclave operators that do not conform to required integrity standards. While the exploitability is primarily limited to specific Evervault-hosted environments due to constraints around domain name requests, applications that only check PCR8 are particularly at risk. Those that validate all PCR values experience reduced impact, especially when checking PCR 0, 1, and 2. The vulnerability has been mitigated in version 1.3.2 through enhanced validation of attestation documents before caching and implementation of a new SatisfiedBy check. Users of evervault-go operating outside Evervault environments who cannot upgrade can mitigate the risk by implementing additional verification logic or custom pre-validation checks.

Affected Version(s)

evervault-go < 1.3.2

References

https://github.com/evervault/evervault-go/security/adviso...
x_refsource_CONFIRM
https://github.com/evervault/evervault-go/pull/48
x_refsource_MISC
https://github.com/evervault/evervault-go/commit/7c824d28...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64186 : Vulnerability in Evervault's Payment Security SDK May Allow Invalid Document Validation