CVE-2025-64186 is a vulnerability classified under CWE-347 (Improper Verification of Cryptographic Signature) affecting the evervault-go SDK, a component used for secure enclave attestation in Evervault's payment security solution. The flaw lies in the attestation verification logic prior to version 1.3.2, where incomplete attestation documents—specifically those missing or improperly validating PCR (Platform Configuration Register) values—could be accepted as valid. This improper validation primarily affects applications that only check PCR8, a specific register used to verify enclave integrity, allowing an attacker to bypass expected integrity guarantees and potentially trust malicious enclave operators. The vulnerability is mitigated in Evervault-hosted environments due to the requirement that attackers must be able to serve requests from specific evervault domain names, which are protected by ACME challenge-based TLS certificate issuance, raising the bar for exploitation. The patch in version 1.3.2 introduces validation of attestation documents before caching and replaces naive equality checks with a more robust SatisfiedBy check, ensuring all required PCRs are present and valid. For users hosting enclaves outside Evervault environments who cannot upgrade, recommended workarounds include modifying application logic to reject attestation documents lacking PCR8 or any required PCRs and implementing custom pre-validation steps. The vulnerability has a CVSS v3.1 score of 8.7, indicating high severity due to its impact on confidentiality and integrity, the complexity of exploitation being low if prerequisites are met, and the scope affecting all applications using vulnerable versions of evervault-go.

For European organizations using the evervault-go SDK, especially in payment processing or secure enclave attestation, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data. If exploited, attackers could cause clients to trust compromised or malicious enclave operators, potentially leading to unauthorized data access or manipulation within supposedly secure enclaves. This undermines the core security guarantees of enclave-based protections, which are critical in financial and regulated sectors prevalent in Europe. The impact is particularly severe for organizations hosting enclaves outside Evervault's managed environments, where the exploitability is higher. Given the high CVSS score and the critical role of enclave attestation in secure payment solutions, exploitation could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), financial losses, and reputational damage. However, the requirement for attackers to serve requests from specific evervault domains limits widespread exploitation, somewhat reducing immediate risk in Evervault-hosted environments.

European organizations should immediately upgrade to evervault-go version 1.3.2 or later to benefit from the patched attestation verification logic. For those unable to upgrade promptly, especially when hosting enclaves outside Evervault environments, it is crucial to implement strict application-level validation by rejecting attestation documents missing PCR8 or any other required PCRs. Custom pre-validation logic should be added to ensure completeness and integrity of attestation data before acceptance or caching. Network controls should be enforced to restrict access to evervault domain names and monitor for anomalous requests that could indicate exploitation attempts. Additionally, organizations should audit their enclave attestation configurations to ensure multiple PCRs (including PCR0, PCR1, and PCR2) are checked rather than relying solely on PCR8. Regular security assessments and monitoring for unusual enclave behavior or certificate issuance anomalies are recommended. Finally, integrating these mitigations into secure software development lifecycle (SDLC) processes will help prevent recurrence.