Description
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.
Problem types
CWE-347: Improper Verification of Cryptographic Signature
Product status
References
github.com/...ore-js/security/advisories/GHSA-jfc7-64v2-mr8c
github.com/sigstore/sigstore-js/pull/1657
github.com/...ommit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7
github.com/.../sigstore-js/releases/tag/@sigstore/core@3.2.1