CVE-2025-66506
BaseFortify
Publication date: 2025-12-04
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | fulcio | to 1.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fulcio versions prior to 1.8.3, where the function identity.extractIssuerURL processes untrusted input by splitting it on periods. If a malicious OIDC identity token containing many period characters is provided, the function performs excessive memory allocations proportional to the input length, leading to a potential denial of service due to resource exhaustion. This issue was fixed in version 1.8.3.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service (DoS) by exhausting system memory when processing specially crafted OIDC identity tokens with many period characters. This can disrupt the availability of the Fulcio certificate authority service, potentially preventing legitimate code signing certificate issuance.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Fulcio to version 1.8.3 or later, as this version contains the fix for the vulnerability.