CVE-2025-66564
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-66564
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66564.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-66564
- Aliases
- Downstream
- Published
- 2025-12-04T22:37:13.307Z
- Modified
- 2025-12-09T17:55:55.828322Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Sigstore Timestamp Authority allocates excessive memory during request parsing
- Details
-
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66564.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-405" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66564.json
- https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421
- https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
- https://nvd.nist.gov/vuln/detail/CVE-2025-66564