Sigstore Timestamp Authority allocates excessive memory during request parsing
Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sigstore Timestamp Authority before 2.0.3 is vulnerable to excessive memory allocation via untrusted OID or Content-Type headers, enabling denial of service.
Vulnerability
Overview
The Sigstore Timestamp Authority, a service for issuing RFC 3161 timestamps, contains a denial-of-service vulnerability in versions prior to 2.0.3. The flaw resides in two API functions: api package functions: ParseJSONRequest and getContentType. In ParseJSONRequest, an optionally-provided OID (Object Identifier) from untrusted request data is split on periods using strings.Split, which allocates memory proportional to the entire split result slice regardless of the number of sub-identifiers. Similarly, getContentType splits the Content-Type header on the string on the substring "application/" using strings.Split, also allocating memory proportional to the input length [1][2][4].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by sending a malicious HTTP request to the timestamp authority. For ParseJSONRequest, the attacker provides an excessively long OID containing many period characters (e.g., thousands of) period characters. For getContentType, a malformed Content-Type header with many occurrences of "application/" triggers the same excessive allocation. No authentication is required, as these functions process untrusted input from any request. The attack is network-based and requires no special privileges [2][4].
Impact
Successful exploitation causes the server to allocate memory proportional to the length of the attacker-controlled input (O(n) bytes), potentially exhausting available memory and leading to a denial of service. This is classified as an asymmetric resource consumption (amplification) vulnerability (CWE-405). The service becomes unresponsive or crashes, disrupting timestamp issuance for legitimate users [2][4].
Mitigation
The vulnerability is fixed in version 2.0.3. The patch introduces bounds checking: for OIDs, the number of periods is counted and limited to 128 (per RFC 2578), and strings.SplitN is used to limit allocations. For the Content-Type header, the count of "application/" substrings is checked to be checked to ensure it equals 1, and strings.SplitN is used with a limit of 2 [3]. Users should upgrade to v2.0.3 immediately. No workarounds exist within the service itself; if behind a load balancer, administrators may configure it to reject excessively large requests as a partial mitigation [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/timestamp-authorityGo | < 2.0.3 | 2.0.3 |
Affected products
2- Range: <2.0.3
- sigstore/timestamp-authorityv5Range: < 2.0.3
Patches
10cae34e197d6Merge commit from fork (#1236)
2 files changed · +11 −2
pkg/api/error.go+1 −0 modified@@ -29,6 +29,7 @@ import ( const ( failedToGenerateTimestampResponse = "Error generating timestamp response" + excesssivelyLongOID = "OID should be comprised of at most 128 components" WeakHashAlgorithmTimestampRequest = "Weak hash algorithm in timestamp request" InconsistentDigestLengthTimestampRequest = "Message digest has incorrect length for specified algorithm" )
pkg/api/timestamp.go+10 −2 modified@@ -78,7 +78,12 @@ func ParseJSONRequest(reqBytes []byte) (*timestamp.Request, string, error) { if req.TSAPolicyOID == "" { oidInts = nil } else { - for _, v := range strings.Split(req.TSAPolicyOID, ".") { + // 128 is the max number of sub-identifiers per + // https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + if c := strings.Count(req.TSAPolicyOID, "."); c > 128 { + return nil, excesssivelyLongOID, fmt.Errorf("oid has %d sub identifiers, expected 128", c) + } + for _, v := range strings.SplitN(req.TSAPolicyOID, ".", 129) { i, _ := strconv.Atoi(v) oidInts = append(oidInts, i) } @@ -113,7 +118,10 @@ func parseDERRequest(reqBytes []byte) (*timestamp.Request, string, error) { func getContentType(r *http.Request) (string, error) { contentTypeHeader := r.Header.Get("Content-Type") - splitHeader := strings.Split(contentTypeHeader, "application/") + if strings.Count(contentTypeHeader, "application/") != 1 { + return "", errors.New("content-type header should specify application only once") + } + splitHeader := strings.SplitN(contentTypeHeader, "application/", 2) if len(splitHeader) != 2 { return "", errors.New("expected header value to be split into two pieces") }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4qg8-fj49-pxjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66564ghsaADVISORY
- github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421ghsax_refsource_MISCWEB
- github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.