DEBIAN-CVE-2025-66564

DEBIAN-CVE-2025-66564 PUBLISHED CVSS 7.5 HIGH

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:14	golang-github-sigstore-timestamp-authority	0, 1.2.3-2, 0
Debian:13	golang-github-sigstore-timestamp-authority	0, 1.2.3-2, 1.2.9-1

Exploit Intelligence

v2.5.json (github-poc)
seen_cves.json (github-poc)

Timeline

Dec 4, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-66564 advisory

Open in Interactive Console →