CVE-2025-66564 found in golang/github.com/sigstore/timestamp-authority@v1.2.2
CVE-2025-66564 found in golang/github.com/sigstore/timestamp-authority@v1.2.2
Important
Risk: 1.15 (Low)
CVSS: 7.5
Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
Affected component
The vulnerability is in pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2, found in artifacts pkg:devguard/test-org/test-repository.
Recommended fix
Upgrade to version v2.0.3 or later.
# Update all golang packages
go get -u ./...
# Update only this package
go get timestamp-authority@v2.0.3 Additional guidance for mitigating vulnerabilities
Visit our guides on devguard.org
See more details...
Path to component
%%{init: { 'theme':'base', 'themeVariables': {
'primaryColor': '#F3F3F3',
'primaryTextColor': '#0D1117',
'primaryBorderColor': '#999999',
'lineColor': '#999999',
'secondaryColor': '#ffffff',
'tertiaryColor': '#ffffff'
} }}%%
flowchart TD
root(["root"]) --- sbom_SBOM_DEFAULT(["sbom:SBOM_DEFAULT"])
sbom_SBOM_DEFAULT(["sbom:SBOM_DEFAULT"]) --- github_com_aquasecurity_trivy(["github.com/aquasecurity/trivy"])
github_com_aquasecurity_trivy(["github.com/aquasecurity/trivy"]) --- github_com_sigstore_timestamp_authority(["github.com/sigstore/timestamp-authority"])
classDef default stroke-width:2px| Risk Factor | Value | Description |
|---|---|---|
| Vulnerability Depth | 3 |
The vulnerability is in a dependency of a dependency in your project. It is 3 levels deep. |
| EPSS | 0.00 % |
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days. |
| EXPLOIT | Not available |
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability. |
| CVSS-BE | 7.5 |
- Exploiting this vulnerability significantly impacts availability. |
| CVSS-B | 7.5 |
- The vulnerability can be exploited over the network without needing physical access. - It is easy for an attacker to exploit this vulnerability. - An attacker does not need any special privileges or access rights. - No user interaction is needed for the attacker to exploit this vulnerability. - The impact is confined to the system where the vulnerability exists. - There is a high impact on the availability of the system. |
More details can be found in DevGuard
Interact with this vulnerability
You can use the following slash commands to interact with this vulnerability:
👍 Reply with this to acknowledge and accept the identified risk.
/accept I accept the risk of this vulnerability, because ...
⚠️ Mark the risk as false positive: Use one of these commands if you believe the reported vulnerability is not actually a valid issue.
/component-not-present The vulnerable component is not included in the artifact./vulnerable-code-not-present The component is present, but the vulnerable code is not included or compiled./vulnerable-code-not-in-execute-path The vulnerable code exists, but is never executed at runtime./vulnerable-code-cannot-be-controlled-by-adversary Built-in protections prevent exploitation of this vulnerability./inline-mitigations-already-exist The vulnerable code cannot be controlled or influenced by an attacker.
🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.
/reopen ...