GHSA-f83f-xpx7-ffpw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f83f-xpx7-ffpw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-f83f-xpx7-ffpw/GHSA-f83f-xpx7-ffpw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-f83f-xpx7-ffpw
- Aliases
- Published
- 2025-12-05T18:18:26Z
- Modified
- 2025-12-05T18:31:30.493644Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Fulcio allocates excessive memory during token parsing
- Details
-
Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to
extractIssuerURLincurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)Details See identity.extractIssuerURL
Impact Excessive memory allocation
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-12-04T22:15:49Z", "severity": "HIGH", "cwe_ids": [ "CWE-405" ], "github_reviewed_at": "2025-12-05T18:18:26Z" }- References
Affected packages
Go / github.com/sigstore/fulcio
Package
- Name
- github.com/sigstore/fulcio
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/sigstore/fulcio