CISA-2025-66564
Reported by GitHub_M · Published December 4, 2025
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| sigstore | timestamp-authority | < 2.0.3 |
| sigstore | timestamp-authority | *, < 2.0.3 |
Timeline
- Dec 4, 2025 CVE Published
- Dec 5, 2025 CVE Updated