VYPR
High severityNVD Advisory· Published Dec 4, 2025· Updated Dec 5, 2025

Sigstore Timestamp Authority allocates excessive memory during request parsing

CVE-2025-66564

Description

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/sigstore/timestamp-authorityGo
< 2.0.32.0.3

Affected products

179

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.