Fulcio allocates excessive memory during token parsing
CVE-2025-66506

7.5HIGH

Key Information:

Vendor: Sigstore
Status: Fulcio
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-66506?

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

Affected Version(s)

fulcio < 1.8.3

References

https://github.com/sigstore/fulcio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/sigstore/fulcio/commit/765a0e57608b9ef...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Dec 3, 2025

JSON

Sigstore

What is CVE-2025-66506?

Affected Version(s)

References

CVSS V3.1

Timeline