Sigstore Timestamp Authority allocates excessive memory during request parsing
Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/timestamp-authorityGo | < 2.0.3 | 2.0.3 |
Affected products
179- osv-coords178 versionspkg:apk/chainguard/aactlpkg:apk/chainguard/cgpkg:apk/chainguard/chainctlpkg:apk/chainguard/cloudbeat-8.19pkg:apk/chainguard/cloudbeat-9.3pkg:apk/chainguard/cloudbeat-9.4pkg:apk/chainguard/cloudbeat-fips-8.19pkg:apk/chainguard/cloudbeat-fips-9.3pkg:apk/chainguard/cloudbeat-fips-9.4pkg:apk/chainguard/cosignpkg:apk/chainguard/cosign-fipspkg:apk/chainguard/crossplane-1.20pkg:apk/chainguard/crossplane-2.0pkg:apk/chainguard/crossplane-2.1pkg:apk/chainguard/crossplane-fips-1.20pkg:apk/chainguard/crossplane-fips-2.0pkg:apk/chainguard/crossplane-fips-2.1pkg:apk/chainguard/docker-cli-buildxpkg:apk/chainguard/falcoctlpkg:apk/chainguard/falcoctl-fipspkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-fipspkg:apk/chainguard/ghpkg:apk/chainguard/gh-docpkg:apk/chainguard/gitsignpkg:apk/chainguard/goreleaserpkg:apk/chainguard/image-factorypkg:apk/chainguard/image-factory-fipspkg:apk/chainguard/kopkg:apk/chainguard/ko-fipspkg:apk/chainguard/kubescapepkg:apk/chainguard/kyverno-1.16pkg:apk/chainguard/kyverno-background-controller-1.16pkg:apk/chainguard/kyverno-background-controller-fips-1.16pkg:apk/chainguard/kyverno-cleanup-controller-1.16pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.16pkg:apk/chainguard/kyverno-cli-1.16pkg:apk/chainguard/kyverno-cli-fips-1.16pkg:apk/chainguard/kyverno-fips-1.16pkg:apk/chainguard/kyverno-init-container-1.16pkg:apk/chainguard/kyverno-init-container-fips-1.16pkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/kyverno-policy-reporter-plugins-kyvernopkg:apk/chainguard/kyverno-policy-reporter-plugins-kyverno-fipspkg:apk/chainguard/kyverno-reports-controller-1.16pkg:apk/chainguard/kyverno-reports-controller-fips-1.16pkg:apk/chainguard/neuvector-sigstore-interfacepkg:apk/chainguard/neuvector-sigstore-interface-fipspkg:apk/chainguard/policy-controllerpkg:apk/chainguard/policy-controller-fipspkg:apk/chainguard/policy-controller-testerpkg:apk/chainguard/policy-controller-tester-fipspkg:apk/chainguard/sigstore-scaffoldingpkg:apk/chainguard/sigstore-scaffolding-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fipspkg:apk/chainguard/sigstore-scaffolding-fips-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fips-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-fips-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-fips-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-fips-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-fips-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-serverpkg:apk/chainguard/sigstore-scaffolding-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-tuf-serverpkg:apk/chainguard/skaffoldpkg:apk/chainguard/skaffold-fipspkg:apk/chainguard/spire-agentpkg:apk/chainguard/spire-agent-fipspkg:apk/chainguard/tekton-chainspkg:apk/chainguard/tekton-chains-fipspkg:apk/chainguard/teleport-17pkg:apk/chainguard/teleport-17-kube-agent-updaterpkg:apk/chainguard/teleport-17-operatorpkg:apk/chainguard/teleport-18pkg:apk/chainguard/teleport-18.6pkg:apk/chainguard/teleport-18.6-kube-agent-updaterpkg:apk/chainguard/teleport-18.6-operatorpkg:apk/chainguard/teleport-18-kube-agent-updaterpkg:apk/chainguard/teleport-18-kube-agent-updater-compatpkg:apk/chainguard/teleport-18-operatorpkg:apk/chainguard/teleport-18-operator-compatpkg:apk/chainguard/teleport-operator-fips-17pkg:apk/chainguard/teleport-operator-fips-18pkg:apk/chainguard/tflintpkg:apk/chainguard/tflint-compatpkg:apk/chainguard/tflint-fipspkg:apk/chainguard/tflint-fips-compatpkg:apk/chainguard/tknpkg:apk/chainguard/tkn-fipspkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/trivy-operatorpkg:apk/chainguard/trivy-operator-fipspkg:apk/chainguard/vexctlpkg:apk/chainguard/witnesspkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/aactlpkg:apk/wolfi/cosignpkg:apk/wolfi/cosign-fipspkg:apk/wolfi/crossplane-2.1pkg:apk/wolfi/docker-cli-buildxpkg:apk/wolfi/falcoctlpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/ghpkg:apk/wolfi/gh-docpkg:apk/wolfi/gitsignpkg:apk/wolfi/goreleaserpkg:apk/wolfi/kopkg:apk/wolfi/ko-fipspkg:apk/wolfi/kubescapepkg:apk/wolfi/kyverno-1.16pkg:apk/wolfi/kyverno-background-controller-1.16pkg:apk/wolfi/kyverno-cleanup-controller-1.16pkg:apk/wolfi/kyverno-cli-1.16pkg:apk/wolfi/kyverno-init-container-1.16pkg:apk/wolfi/kyverno-notation-awspkg:apk/wolfi/kyverno-reports-controller-1.16pkg:apk/wolfi/neuvector-sigstore-interfacepkg:apk/wolfi/policy-controllerpkg:apk/wolfi/policy-controller-testerpkg:apk/wolfi/sigstore-scaffoldingpkg:apk/wolfi/sigstore-scaffolding-cloudsqlproxypkg:apk/wolfi/sigstore-scaffolding-ctlog-createctconfigpkg:apk/wolfi/sigstore-scaffolding-ctlog-managectrootspkg:apk/wolfi/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/wolfi/sigstore-scaffolding-fulcio-createcertspkg:apk/wolfi/sigstore-scaffolding-getoidctokenpkg:apk/wolfi/sigstore-scaffolding-rekor-createsecretpkg:apk/wolfi/sigstore-scaffolding-trillian-createdbpkg:apk/wolfi/sigstore-scaffolding-trillian-createtreepkg:apk/wolfi/sigstore-scaffolding-trillian-updatetreepkg:apk/wolfi/sigstore-scaffolding-tsa-createcertchainpkg:apk/wolfi/sigstore-scaffolding-tuf-createsecretpkg:apk/wolfi/sigstore-scaffolding-tuf-serverpkg:apk/wolfi/skaffoldpkg:apk/wolfi/spire-agentpkg:apk/wolfi/tekton-chainspkg:apk/wolfi/teleport-17pkg:apk/wolfi/teleport-18pkg:apk/wolfi/teleport-18.6pkg:apk/wolfi/teleport-18.6-kube-agent-updaterpkg:apk/wolfi/teleport-18.6-operatorpkg:apk/wolfi/teleport-18-kube-agent-updaterpkg:apk/wolfi/teleport-18-kube-agent-updater-compatpkg:apk/wolfi/teleport-18-operatorpkg:apk/wolfi/teleport-18-operator-compatpkg:apk/wolfi/tflintpkg:apk/wolfi/tflint-compatpkg:apk/wolfi/tknpkg:apk/wolfi/trivypkg:apk/wolfi/trivy-operatorpkg:apk/wolfi/vexctlpkg:apk/wolfi/witnesspkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/sigstore/timestamp-authoritypkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/trivy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.4.12-r43+ 177 more
- (no CPE)range: < 0.4.12-r43
- (no CPE)range: < 0.2.193-r1
- (no CPE)range: < 0.2.194-r0
- (no CPE)range: < 8.19.16-r0
- (no CPE)range: < 9.3.1-r0
- (no CPE)range: < 9.4.0-r2
- (no CPE)range: < 8.19.16-r0
- (no CPE)range: < 9.3.0-r1
- (no CPE)range: < 9.4.0-r1
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 1.20.4-r2
- (no CPE)range: < 2.0.6-r2
- (no CPE)range: < 2.1.3-r2
- (no CPE)range: < 1.20.4-r2
- (no CPE)range: < 2.0.6-r2
- (no CPE)range: < 2.1.3-r2
- (no CPE)range: < 0.31.1-r2
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 0.12.1-r0
- (no CPE)range: < 1.7.4-r5
- (no CPE)range: < 1.7.4-r4
- (no CPE)range: < 2.83.2-r0
- (no CPE)range: < 2.83.2-r0
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 2.13.3-r0
- (no CPE)range: < 0.9.0-r2
- (no CPE)range: < 0.9.0-r2
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 3.0.47-r0
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 1.1-r26
- (no CPE)range: < 1.1-r26
- (no CPE)range: < 0.5.3-r2
- (no CPE)range: < 0.5.3-r1
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.3-r1
- (no CPE)range: < 0_git20251212-r0
- (no CPE)range: < 0_git20251212-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 1.14.0-r1
- (no CPE)range: < 1.14.0-r1
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 0.26.0-r5
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 17.7.13-r1
- (no CPE)range: < 18.6.1-r1
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.43.0-r7
- (no CPE)range: < 0.43.0-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.4.1-r4
- (no CPE)range: < 0.10.1-r4
- (no CPE)range: < 0.68.1-r0
- (no CPE)range: < 2.1.14-r0
- (no CPE)range: < 0.4.12-r43
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 3.0.3-r0
- (no CPE)range: < 2.1.3-r2
- (no CPE)range: < 0.31.1-r2
- (no CPE)range: < 0.12.0-r0
- (no CPE)range: < 1.7.4-r5
- (no CPE)range: < 2.83.2-r0
- (no CPE)range: < 2.83.2-r0
- (no CPE)range: < 0.14.0-r0
- (no CPE)range: < 2.13.3-r0
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 0.18.1-r0
- (no CPE)range: < 3.0.47-r0
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 1.1-r26
- (no CPE)range: < 1.16.2-r2
- (no CPE)range: < 0_git20251212-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.15.1-r0
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 0.7.31-r3
- (no CPE)range: < 2.17.1-r0
- (no CPE)range: < 1.14.0-r1
- (no CPE)range: < 0.26.0-r3
- (no CPE)range: < 17.7.23-r0
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.6.8-r9
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 18.7.6-r0
- (no CPE)range: < 18.7.2-r12
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.60.0-r3
- (no CPE)range: < 0.43.0-r7
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.4.1-r4
- (no CPE)range: < 0.10.1-r4
- (no CPE)range: < 0.68.1-r0
- (no CPE)range: < 2.1.14-r0
- (no CPE)range: < 2.0.3
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.69.0-bp160.1.1
- (no CPE)range: < 0.69.0-1.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- Range: < 2.0.3
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4qg8-fj49-pxjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66564ghsaADVISORY
- github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421ghsax_refsource_MISCWEB
- github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.