CVE-2025-66564
BaseFortify
Publication date: 2025-12-04
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | sigstore_timestamp_authority | to 2.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Sigstore Timestamp Authority service prior to version 2.0.3. The issue arises because the functions api.ParseJSONRequest and api.getContentType process untrusted input data by splitting strings (an OID and a Content-Type header, respectively) on certain characters. If a malicious request contains an excessively long OID with many periods or a malformed Content-Type header, these functions allocate memory proportional to the length of the input, potentially leading to excessive memory usage or resource exhaustion.
How can this vulnerability impact me? :
The vulnerability can lead to a denial of service condition by causing the Sigstore Timestamp Authority service to allocate large amounts of memory when processing maliciously crafted requests. This can degrade service availability or crash the service due to resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Sigstore Timestamp Authority to version 2.0.3 or later, as this version contains the fix for the vulnerability.