Parsing Vulnerability in Fulcio Certificate Authority from Sigstore
CVE-2025-66506

7.5HIGH

Key Information:

Vendor: Sigstore
Status: Fulcio
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-66506?

Fulcio, the certificate authority from Sigstore for issuing code signing certificates, is susceptible to a data parsing issue in versions prior to 1.8.3. Specifically, the vulnerability arises in the function identity.extractIssuerURL, which improperly handles untrusted data by naively splitting input strings on periods. This can lead to problematic allocations where the system may experience excessive memory usage in response to crafted requests containing malicious OIDC identity tokens. Such tokens can include numerous period characters, posing a risk of resource exhaustion. This issue has been rectified in version 1.8.3.

Affected Version(s)

fulcio < 1.8.3

References

https://github.com/sigstore/fulcio/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/sigstore/fulcio/commit/765a0e57608b9ef...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Dec 3, 2025

JSON