Medium severity5.3NVD Advisory· Published May 20, 2024· Updated Apr 15, 2026

CVE-2024-35194

Description

Minder is a software supply chain security platform. Prior to version 0.0.50, Minder engine is susceptible to a denial of service from memory exhaustion that can be triggered from maliciously created templates. Minder engine uses templating to generate strings for various use cases such as URLs, messages for pull requests, descriptions for advisories. In some cases can the user control both the template and the params for it, and in a subset of these cases, Minder reads the generated template entirely into memory. When Minders templating meets both of these conditions, an attacker is able to generate large enough templates that Minder will exhaust memory and crash. This vulnerability is fixed in 0.0.50.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/stacklok/minderGo	< 0.0.50	0.0.50

Patches

fe321d345b4f

https://github.com/mindersec/mindervia osv

006c6fa04075

https://github.com/stacklok/mindervia osv

fe321d345b4f

Merge pull request from GHSA-8fmj-33gw-g7pw

https://github.com/stacklok/minderJuan Antonio OsorioMay 20, 2024via ghsa

commit

1 file changed · +9 −2

internal/verifier/sigstore/container/container.go+9 −2 modified

@@ -24,6 +24,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
@@ -49,6 +50,10 @@ var (
 	// ErrProvenanceNotFoundOrIncomplete is returned when there's no provenance info (missing .sig or attestation) or
 	// has incomplete data
 	ErrProvenanceNotFoundOrIncomplete = errors.New("provenance not found or incomplete")
+
+	// MaxAttestationsBytesLimit is the maximum number of bytes we're willing to read from the attestation endpoint
+	// We'll limit this to 10mb for now
+	MaxAttestationsBytesLimit int64 = 10 * 1024 * 1024
 )
 
 const (
@@ -291,8 +296,9 @@ func getAttestationReply(
 	}
 	defer resp.Body.Close()
 
+	lr := io.LimitReader(resp.Body, MaxAttestationsBytesLimit)
 	var attestationReply AttestationReply
-	if err := json.NewDecoder(resp.Body).Decode(&attestationReply); err != nil {
+	if err := json.NewDecoder(lr).Decode(&attestationReply); err != nil {
 		return nil, fmt.Errorf("error decoding response: %w", err)
 	}
 
@@ -446,7 +452,8 @@ func getSimpleSigningLayersFromSignatureManifest(manifestRef string, auth authn.
 	}
 
 	// Parse the manifest
-	manifest, err := v1.ParseManifest(bytes.NewReader(mf))
+	r := io.LimitReader(bytes.NewReader(mf), MaxAttestationsBytesLimit)
+	manifest, err := v1.ParseManifest(r)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing signature manifest: %w", err)
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-crgc-2583-rw27ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-35194ghsaADVISORY
github.com/stacklok/minder/commit/fe321d345b4f738de6a06b13207addc72b59f892nvdWEB
github.com/stacklok/minder/security/advisories/GHSA-crgc-2583-rw27nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000