Input Validation Flaw in Sigstore Timestamp Authority Affects Multiple Versions
CVE-2025-66564

7.5HIGH

Key Information:

Vendor: Sigstore
Status: Timestamp-authority
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-66564?

The Sigstore Timestamp Authority, a service for issuing RFC 3161 timestamps, has a vulnerability in its input validation process. Versions prior to 2.0.3 contain flaws in the API methods api.ParseJSONRequest and api.getContentType, which handle untrusted data. These methods improperly split the OID and Content-Type header inputs on periods, leading to potential memory allocation issues when processing malicious requests. Such requests could contain excessively long OIDs or malformed Content-Type headers, resulting in performance degradation. The issue has been addressed in version 2.0.3.

Affected Version(s)

timestamp-authority < 2.0.3

References

https://github.com/sigstore/timestamp-authority/security/...

x_refsource_CONFIRM

https://github.com/sigstore/timestamp-authority/commit/0c...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Dec 4, 2025

JSON