CVE-2025-66564 | THREATINT

Description

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-04 | Updated 2025-12-04 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-405: Asymmetric Resource Consumption (Amplification)

Product status

< 2.0.3

affected

References

github.com/...hority/security/advisories/GHSA-4qg8-fj49-pxjh

github.com/...ommit/0cae34e197d685a14904e0bad135b89d13b69421

cve.org (CVE-2025-66564)

nvd.nist.gov (CVE-2025-66564)

Download JSON