Home

Description

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.

PUBLISHED Reserved 2026-05-22 | Published 2026-07-14 | Updated 2026-07-14 | Assigner GitHub_M




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-347: Improper Verification of Cryptographic Signature

Product status

< 3.2.1
affected

References

github.com/...ore-js/security/advisories/GHSA-jfc7-64v2-mr8c

github.com/sigstore/sigstore-js/pull/1657

github.com/...ommit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7

github.com/.../sigstore-js/releases/tag/@sigstore/core@3.2.1

cve.org (CVE-2026-48758)

nvd.nist.gov (CVE-2026-48758)

Download JSON