The dcap-qvl library contains a critical gap in cryptographic verification: it retrieves QE Identity collateral from the PCCS but does not verify the signature against its certificate chain or enforce policy constraints on the QE Report. An attacker can forge this data to allow a malicious or non‑Intel Quoting Enclave to be trusted, enabling the generation of counterfeit signed quotes that the verifier will accept. This effectively defeats the remote attestation security model, permitting the attacker to present illegitimate enclaves as valid, which could lead to unauthorized access or execution of privileged code within systems that rely on SGX or TDX attestation.

All deployments that use Phala Network’s dcap-qvl library for SGX or TDX quote verification are vulnerable, specifically versions prior to 0.3.9. The packages @phala/dcap-qvl-node and @phala/dcap-qvl-web, which use the non‑pure‑JavaScript implementation, are also affected. These systems include any application that imports dcap-qvl to validate enclave quotes and relies on the default identity verification logic.

The CVSS score of 9.3 indicates critical severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply forged QE Identity data to a system that processes quotes through dcap-qvl; once in place, the attacker can generate trusted‑looking quotes that bypass attestation checks. Because no workarounds exist and the flaw allows bypass of fundamental attestation guarantees, the risk remains high for affected systems.