Sigstore Timestamp Authority allocates excessive memory during request parsing
CVE-2025-66564

7.5HIGH

Key Information:

Vendor

Sigstore

Status
Timestamp-authority
Vendor
CVE Published:
4 December 2025

What is CVE-2025-66564?

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

Affected Version(s)

timestamp-authority < 2.0.3

References

https://github.com/sigstore/timestamp-authority/security/...
x_refsource_CONFIRM
https://github.com/sigstore/timestamp-authority/commit/0c...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-66564 : Input Validation Flaw in Sigstore Timestamp Authority Affects Multiple Versions