UBUNTU-CVE-2025-66564
- Source
- https://ubuntu.com/security/CVE-2025-66564
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-66564.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-66564
- Upstream
- Published
- 2025-12-04T23:15:00Z
- Modified
- 2025-12-11T08:51:47.097614Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
- References
Affected packages
Ubuntu:25.10 / golang-github-sigstore-timestamp-authority
Package
- Name
- golang-github-sigstore-timestamp-authority
- Purl
- pkg:deb/ubuntu/golang-github-sigstore-timestamp-authority@1.2.3-2?arch=source&distro=questing