x/vulndb: potential Go vuln in github.com/sigstore/fulcio: GHSA-f83f-xpx7-ffpw #4193
Description
Advisory GHSA-f83f-xpx7-ffpw references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/sigstore/fulcio |
Description:
Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.
As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: [CWE-405: Asymmetric R...
References:
- ADVISORY: GHSA-f83f-xpx7-ffpw
- ADVISORY: GHSA-f83f-xpx7-ffpw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-66506
- FIX: sigstore/fulcio@765a0e5
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/sigstore/fulcio
non_go_versions:
- introduced: TODO (earliest fixed "1.8.3", vuln range "<= 1.8.2")
vulnerable_at: 1.8.3
summary: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio
cves:
- CVE-2025-66506
ghsas:
- GHSA-f83f-xpx7-ffpw
references:
- advisory: https://github.com/advisories/GHSA-f83f-xpx7-ffpw
- advisory: https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-66506
- fix: https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a
source:
id: GHSA-f83f-xpx7-ffpw
created: 2025-12-05T19:01:20.50986221Z
review_status: UNREVIEWED