The vulnerability CVE-2025-62375 affects the in-toto project's go-witness and witness modules, which are used to generate attestations for software supply chain security. Specifically, the AWS attestor component in go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier improperly validates AWS EC2 instance identity documents. The attestor incorrectly accepts identity documents when the signature is missing, empty, or when RSA signature verification fails. This flaw arises because the attestor embeds only a single legacy global AWS public certificate and does not recognize newer region-specific AWS public certificates introduced in 2024. As a result, forged or tampered instance identity documents can bypass verification, especially if an attacker can supply or intercept the instance identity document data, for example through Instance Metadata Service (IMDS) impersonation attacks. This leads to incorrect trust decisions based on forged attestations, undermining the security guarantees of the attestation process. The vulnerability does not require authentication or user interaction and can be exploited remotely if the attacker can influence the instance identity document data. The issue is resolved in go-witness 0.9.1 and witness 0.10.1 by properly validating signatures and supporting updated AWS certificates. Workarounds include manual verification of identity documents and signatures using standard cryptographic tools following AWS guidance or disabling the AWS attestor until patched. No known exploits are reported in the wild as of publication.

For European organizations leveraging in-toto go-witness or witness modules in their software supply chain security, especially those running workloads on AWS EC2 instances, this vulnerability poses a significant risk to the integrity of attestation processes. Forged or improperly validated instance identity documents can lead to false trust in compromised or unauthorized instances, potentially allowing attackers to bypass security controls, escalate privileges, or inject malicious code into trusted pipelines. This undermines the security of continuous integration/continuous deployment (CI/CD) workflows and cloud infrastructure security posture. Organizations relying on these modules for compliance or regulatory attestations may face increased risk of supply chain attacks or audit failures. The impact is heightened in environments where instance metadata is accessible or where attackers can perform metadata service impersonation attacks. Given the widespread use of AWS in Europe and the increasing adoption of supply chain security tooling, the vulnerability could affect critical infrastructure, financial services, and technology sectors. However, the lack of known exploits and the medium CVSS score suggest the threat is moderate but warrants prompt remediation to maintain trust in attestation mechanisms.

European organizations should immediately upgrade go-witness to version 0.9.1 or later and witness to version 0.10.1 or later to ensure proper validation of AWS EC2 instance identity documents. Until upgrades are applied, disable the AWS attestor component to prevent acceptance of forged attestations. Implement manual verification of instance identity documents and signatures using cryptographic tools such as OpenSSL, strictly following AWS's official verification guidelines to detect forged or tampered documents. Restrict access to the Instance Metadata Service (IMDS) by enforcing IMDSv2 usage and applying network segmentation or firewall rules to limit metadata access to authorized processes only, reducing the risk of metadata impersonation attacks. Monitor logs and attestation results for anomalies indicating possible forged identity documents or attestation failures. Incorporate additional attestation layers or alternative identity verification mechanisms to reduce reliance on a single attestor. Finally, maintain awareness of updates to AWS public certificates and ensure attestation tools are kept current with AWS certificate rotations and regional variations.