JavaScript Library Vulnerability in Sigstore Services by Sigstore
CVE-2026-48758
5.4MEDIUM
What is CVE-2026-48758?
The sigstore-js library, used for interacting with Sigstore services, has a vulnerability in the preAuthEncoding function of the @sigstore/core module. Before version 3.2.1, this function improperly employs Node.js ASCII encoding while converting the PAE string to bytes. This allows the payloadType to be altered post-signing without rendering the signature invalid, consequently undermining the type-binding assurance designed by DSSE. This critical issue was addressed in version 3.2.1, which rectifies the encoding process and restores the intended security measures.
Affected Version(s)
sigstore-js < 3.2.1
