Vulnerability in Evervault's Payment Security SDK May Allow Invalid Document Validation

CVE-2025-64186

What is CVE-2025-64186?

A vulnerability has been identified in the attestation verification logic of Evervault's evervault-go SDK, specifically in versions prior to 1.3.2. This issue may allow incomplete attestation documents to bypass validation, leading clients to mistakenly trust enclave operators that do not conform to required integrity standards. While the exploitability is primarily limited to specific Evervault-hosted environments due to constraints around domain name requests, applications that only check PCR8 are particularly at risk. Those that validate all PCR values experience reduced impact, especially when checking PCR 0, 1, and 2. The vulnerability has been mitigated in version 1.3.2 through enhanced validation of attestation documents before caching and implementation of a new SatisfiedBy check. Users of evervault-go operating outside Evervault environments who cannot upgrade can mitigate the risk by implementing additional verification logic or custom pre-validation checks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References