JavaScript Library Vulnerability in Sigstore Services by Sigstore
CVE-2026-48758

5.4MEDIUM

Key Information:

Vendor

Sigstore

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48758?

The sigstore-js library, used for interacting with Sigstore services, has a vulnerability in the preAuthEncoding function of the @sigstore/core module. Before version 3.2.1, this function improperly employs Node.js ASCII encoding while converting the PAE string to bytes. This allows the payloadType to be altered post-signing without rendering the signature invalid, consequently undermining the type-binding assurance designed by DSSE. This critical issue was addressed in version 3.2.1, which rectifies the encoding process and restores the intended security measures.

Affected Version(s)

sigstore-js < 3.2.1

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.