Description

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

INFO

Published Date :

2025-12-04T22:37:13.307Z

Last Modified :

2025-12-05T14:55:53.273Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66564 vulnerability.

Vendors Products
Linuxfoundation
  • Sigstore Timestamp Authority
Sigstore
  • Timestamp Authority
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66564.

URL Resource
https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 cve-icon cve-icon cve-icon
https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66564 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66564 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact