CVE-2025-66564

NameCVE-2025-66564
DescriptionSigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122060

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-sigstore-timestamp-authority (PTS)trixie1.2.3-2vulnerable
forky, sid2.0.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-sigstore-timestamp-authoritysource(unstable)2.0.3-11122060

Notes

[trixie] - golang-github-sigstore-timestamp-authority <no-dsa> (Minor issue)
https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
Fixed by: https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 (v2.0.3)
Search for package or bug name: Reporting problems