Description

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

INFO

Published Date :

2025-12-04T22:04:41.637Z

Last Modified :

2025-12-05T15:32:25.591Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66506 vulnerability.

Vendors Products
Linuxfoundation
  • Fulcio
Sigstore
  • Fulcio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66506.

URL Resource
https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a cve-icon cve-icon cve-icon
https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66506 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66506 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact