CVE-2025-64186 is a vulnerability identified in the evervault-go SDK, a component used for enclave attestation in Evervault's payment security solution. The flaw stems from improper verification of cryptographic signatures in attestation documents, specifically allowing incomplete or malformed documents to pass validation. This occurs primarily because applications relying solely on PCR8 (Platform Configuration Register 8) for attestation verification may accept documents missing critical integrity checks. PCRs are used in Trusted Platform Module (TPM) and enclave attestation to ensure the integrity of the platform and software environment. The vulnerability could lead to clients trusting enclave operators that do not meet expected security guarantees, potentially exposing sensitive payment data or cryptographic operations to malicious actors. Exploitation is constrained by the requirement that attackers must be able to serve requests from specific evervault domain names, tied to the ACME challenge-based TLS certificate issuance process, which limits the attack surface primarily to non-Evervault-hosted environments. The vulnerability is mitigated by verifying multiple PCR values (PCR0, 1, and 2) alongside PCR8, which reduces the risk of incomplete attestation acceptance. The fix introduced in version 1.3.2 includes validating attestation documents before caching and replacing naive equality checks with a more sophisticated SatisfiedBy check to ensure completeness and correctness of attestation data. For users unable to upgrade, especially those hosting enclaves outside Evervault environments, recommended workarounds involve modifying application logic to reject attestation documents missing or having empty PCR8 values and implementing custom pre-validation to enforce the presence of all required PCRs. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) and has a CVSS v3.1 score of 8.7, indicating high severity due to its impact on confidentiality and integrity without requiring user interaction but requiring high privileges to exploit.

For European organizations, particularly those in the financial technology and payment processing sectors that use Evervault's evervault-go SDK for enclave attestation, this vulnerability poses a significant risk. Exploitation could allow attackers to bypass critical integrity checks, leading to unauthorized trust in compromised or malicious enclave operators. This could result in exposure or manipulation of sensitive payment data, undermining confidentiality and integrity of transactions. Given the high CVSS score and the critical role of enclave attestation in securing cryptographic operations, the impact includes potential data breaches, regulatory non-compliance (e.g., GDPR), financial losses, and reputational damage. The limited exploitability in Evervault-hosted environments reduces risk for many users; however, organizations hosting enclaves independently or using customized deployments are at higher risk. The vulnerability's exploitation could also affect supply chain trust and the security of cryptographic key management, which are vital for secure payment ecosystems prevalent in Europe. The lack of known exploits in the wild currently provides some mitigation window, but proactive patching and validation are essential to prevent future attacks.

European organizations should immediately upgrade all instances of evervault-go SDK to version 1.3.2 or later to benefit from the official fix. For environments where upgrading is not feasible, especially those hosting enclaves outside Evervault infrastructure, implement strict application-level validation to reject attestation documents missing PCR8 or any required PCR values. Modify attestation verification logic to enforce explicit presence and non-emptiness of PCR8 and consider adding custom pre-validation layers to ensure completeness of attestation data before caching or trusting it. Additionally, restrict network access and domain name permissions to prevent unauthorized entities from serving requests from evervault domain names, thereby reducing the attack surface. Conduct thorough audits of enclave attestation processes and logs to detect anomalies or incomplete attestations. Incorporate continuous monitoring for updates from Evervault and related security advisories. Finally, integrate these mitigations into secure software development lifecycle (SDLC) practices and incident response plans to ensure rapid response to any exploitation attempts.