Fulcio allocates excessive memory during token parsing
Description
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/fulcioGo | < 1.8.3 | 1.8.3 |
Affected products
182- osv-coords181 versionspkg:apk/chainguard/aactlpkg:apk/chainguard/buildahpkg:apk/chainguard/cgpkg:apk/chainguard/chainctlpkg:apk/chainguard/cosignpkg:apk/chainguard/cosign-fipspkg:apk/chainguard/docker-credential-cgrpkg:apk/chainguard/falcoctlpkg:apk/chainguard/falcoctl-fipspkg:apk/chainguard/falco-devpkg:apk/chainguard/falco-no-driverpkg:apk/chainguard/falco-plugin-containerpkg:apk/chainguard/falco-srcpkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-fipspkg:apk/chainguard/flux-source-controller-iamguarded-compatpkg:apk/chainguard/gitsignpkg:apk/chainguard/gitsign-configpkg:apk/chainguard/gitsign-credential-cachepkg:apk/chainguard/image-factorypkg:apk/chainguard/image-factory-fipspkg:apk/chainguard/kotspkg:apk/chainguard/kots-compatpkg:apk/chainguard/kots-symlink-compatpkg:apk/chainguard/kubescapepkg:apk/chainguard/kyverno-1.16pkg:apk/chainguard/kyverno-background-controller-1.16pkg:apk/chainguard/kyverno-background-controller-fips-1.16pkg:apk/chainguard/kyverno-cleanup-controller-1.16pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.16pkg:apk/chainguard/kyverno-cli-1.16pkg:apk/chainguard/kyverno-cli-fips-1.16pkg:apk/chainguard/kyverno-fips-1.16pkg:apk/chainguard/kyverno-init-container-1.16pkg:apk/chainguard/kyverno-init-container-fips-1.16pkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-compatpkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/kyverno-policy-reporter-plugins-kyvernopkg:apk/chainguard/kyverno-policy-reporter-plugins-kyverno-compatpkg:apk/chainguard/kyverno-policy-reporter-plugins-kyverno-fipspkg:apk/chainguard/kyverno-reports-controller-1.16pkg:apk/chainguard/kyverno-reports-controller-fips-1.16pkg:apk/chainguard/podmanpkg:apk/chainguard/podman-docpkg:apk/chainguard/portierispkg:apk/chainguard/portieris-compatpkg:apk/chainguard/portieris-fipspkg:apk/chainguard/prometheus-podman-exporterpkg:apk/chainguard/prometheus-podman-exporter-compatpkg:apk/chainguard/prometheus-podman-exporter-fipspkg:apk/chainguard/ratifypkg:apk/chainguard/ratify-compatpkg:apk/chainguard/ratify-crdspkg:apk/chainguard/ratify-fipspkg:apk/chainguard/ratify-fips-compatpkg:apk/chainguard/ratify-fips-crdspkg:apk/chainguard/ratify-fips-licensecheckerpkg:apk/chainguard/ratify-fips-licensechecker-compatpkg:apk/chainguard/ratify-fips-sbompkg:apk/chainguard/ratify-fips-sbom-compatpkg:apk/chainguard/ratify-fips-schemavalidatorpkg:apk/chainguard/ratify-fips-schemavalidator-compatpkg:apk/chainguard/ratify-fips-vulnerabilityreportpkg:apk/chainguard/ratify-fips-vulnerabilityreport-compatpkg:apk/chainguard/ratify-licensecheckerpkg:apk/chainguard/ratify-licensechecker-compatpkg:apk/chainguard/ratify-sbompkg:apk/chainguard/ratify-sbom-compatpkg:apk/chainguard/ratify-schemavalidatorpkg:apk/chainguard/ratify-schemavalidator-compatpkg:apk/chainguard/ratify-vulnerabilityreportpkg:apk/chainguard/ratify-vulnerabilityreport-compatpkg:apk/chainguard/reports-server-compatpkg:apk/chainguard/sigstore-scaffoldingpkg:apk/chainguard/sigstore-scaffolding-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fipspkg:apk/chainguard/sigstore-scaffolding-fips-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fips-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-fips-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-fips-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-fips-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-fips-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-serverpkg:apk/chainguard/sigstore-scaffolding-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-tuf-serverpkg:apk/chainguard/skopeopkg:apk/chainguard/skopeo-fipspkg:apk/chainguard/slsa-verifierpkg:apk/chainguard/tekton-chainspkg:apk/chainguard/tekton-chains-fipspkg:apk/chainguard/tknpkg:apk/chainguard/tkn-fipspkg:apk/chainguard/undockpkg:apk/chainguard/vexctlpkg:apk/chainguard/witnesspkg:apk/chainguard/zarfpkg:apk/wolfi/aactlpkg:apk/wolfi/buildahpkg:apk/wolfi/cosignpkg:apk/wolfi/cosign-fipspkg:apk/wolfi/falcoctlpkg:apk/wolfi/falco-devpkg:apk/wolfi/falco-no-driverpkg:apk/wolfi/falco-plugin-containerpkg:apk/wolfi/falco-srcpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/flux-source-controller-iamguarded-compatpkg:apk/wolfi/gitsignpkg:apk/wolfi/gitsign-configpkg:apk/wolfi/gitsign-credential-cachepkg:apk/wolfi/kotspkg:apk/wolfi/kots-compatpkg:apk/wolfi/kots-symlink-compatpkg:apk/wolfi/kubescapepkg:apk/wolfi/kyverno-1.16pkg:apk/wolfi/kyverno-background-controller-1.16pkg:apk/wolfi/kyverno-cleanup-controller-1.16pkg:apk/wolfi/kyverno-cli-1.16pkg:apk/wolfi/kyverno-init-container-1.16pkg:apk/wolfi/kyverno-notation-awspkg:apk/wolfi/kyverno-notation-aws-compatpkg:apk/wolfi/kyverno-reports-controller-1.16pkg:apk/wolfi/podmanpkg:apk/wolfi/podman-docpkg:apk/wolfi/portierispkg:apk/wolfi/portieris-compatpkg:apk/wolfi/prometheus-podman-exporterpkg:apk/wolfi/prometheus-podman-exporter-compatpkg:apk/wolfi/ratifypkg:apk/wolfi/ratify-compatpkg:apk/wolfi/ratify-crdspkg:apk/wolfi/ratify-licensecheckerpkg:apk/wolfi/ratify-licensechecker-compatpkg:apk/wolfi/ratify-sbompkg:apk/wolfi/ratify-sbom-compatpkg:apk/wolfi/ratify-schemavalidatorpkg:apk/wolfi/ratify-schemavalidator-compatpkg:apk/wolfi/ratify-vulnerabilityreportpkg:apk/wolfi/ratify-vulnerabilityreport-compatpkg:apk/wolfi/sigstore-scaffoldingpkg:apk/wolfi/sigstore-scaffolding-cloudsqlproxypkg:apk/wolfi/sigstore-scaffolding-ctlog-createctconfigpkg:apk/wolfi/sigstore-scaffolding-ctlog-managectrootspkg:apk/wolfi/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/wolfi/sigstore-scaffolding-fulcio-createcertspkg:apk/wolfi/sigstore-scaffolding-getoidctokenpkg:apk/wolfi/sigstore-scaffolding-rekor-createsecretpkg:apk/wolfi/sigstore-scaffolding-trillian-createdbpkg:apk/wolfi/sigstore-scaffolding-trillian-createtreepkg:apk/wolfi/sigstore-scaffolding-trillian-updatetreepkg:apk/wolfi/sigstore-scaffolding-tsa-createcertchainpkg:apk/wolfi/sigstore-scaffolding-tuf-createsecretpkg:apk/wolfi/sigstore-scaffolding-tuf-serverpkg:apk/wolfi/skopeopkg:apk/wolfi/slsa-verifierpkg:apk/wolfi/tekton-chainspkg:apk/wolfi/tknpkg:apk/wolfi/undockpkg:apk/wolfi/vexctlpkg:apk/wolfi/witnesspkg:apk/wolfi/zarfpkg:golang/github.com/sigstore/fulciopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.4.12-r41+ 180 more
- (no CPE)range: < 0.4.12-r41
- (no CPE)range: < 1.42.2-r1
- (no CPE)range: < 0.2.193-r1
- (no CPE)range: < 0.2.194-r0
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 0.2.183-r0
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 0.12.1-r0
- (no CPE)range: < 0.42.1-r0
- (no CPE)range: < 0.43.0-r1
- (no CPE)range: < 0.42.1-r1
- (no CPE)range: < 0.42.1-r0
- (no CPE)range: < 1.7.4-r4
- (no CPE)range: < 1.7.4-r4
- (no CPE)range: < 1.7.4-r3
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 0.13.0-r7
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 0.9.0-r2
- (no CPE)range: < 0.9.0-r2
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 3.0.47-r0
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.1-r28
- (no CPE)range: < 1.1-r25
- (no CPE)range: < 1.1-r28
- (no CPE)range: < 0.5.3-r0
- (no CPE)range: < 0.5.2-r2
- (no CPE)range: < 0.5.3-r0
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 5.7.0-r4
- (no CPE)range: < 5.7.0-r4
- (no CPE)range: < 0.13.33-r3
- (no CPE)range: < 0.13.33-r3
- (no CPE)range: < 0.13.33-r3
- (no CPE)range: < 1.19.0-r6
- (no CPE)range: < 1.19.0-r6
- (no CPE)range: < 1.19.0-r7
- (no CPE)range: < 1.4.0-r9
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r9
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 0.1.5-r0
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r4
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 1.21.0-r1
- (no CPE)range: < 1.21.0-r1
- (no CPE)range: < 2.7.1-r6
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.43.0-r2
- (no CPE)range: < 0.43.0-r2
- (no CPE)range: < 0.11.0-r2
- (no CPE)range: < 0.4.1-r4
- (no CPE)range: < 0.10.1-r3
- (no CPE)range: < 0.68.1-r0
- (no CPE)range: < 0.4.12-r41
- (no CPE)range: < 1.42.2-r1
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 0.42.1-r0
- (no CPE)range: < 0.43.0-r1
- (no CPE)range: < 0.42.1-r1
- (no CPE)range: < 0.42.1-r0
- (no CPE)range: < 1.7.4-r4
- (no CPE)range: < 1.7.4-r3
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 0.13.0-r7
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 1.129.1-r1
- (no CPE)range: < 3.0.47-r0
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 1.1-r28
- (no CPE)range: < 1.1-r25
- (no CPE)range: < 1.16.2-r1
- (no CPE)range: < 5.7.0-r4
- (no CPE)range: < 5.7.0-r4
- (no CPE)range: < 0.13.33-r3
- (no CPE)range: < 0.13.33-r3
- (no CPE)range: < 1.19.0-r6
- (no CPE)range: < 1.19.0-r6
- (no CPE)range: < 1.4.0-r9
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 1.4.0-r8
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 1.21.0-r1
- (no CPE)range: < 2.7.1-r6
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.43.0-r2
- (no CPE)range: < 0.11.0-r2
- (no CPE)range: < 0.4.1-r4
- (no CPE)range: < 0.10.1-r3
- (no CPE)range: < 0.68.1-r0
- (no CPE)range: < 1.8.3
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-f83f-xpx7-ffpwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66506ghsaADVISORY
- github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5aghsax_refsource_MISCWEB
- github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.