Certificate Validation Issue in Sigstore.js JavaScript Library
CVE-2026-48815
7.5HIGH
What is CVE-2026-48815?
The sigstore-js library facilitates interactions with Sigstore services in JavaScript applications. Prior to the release of version 4.1.1, a vulnerability existed where the certificateOIDs option provided in the sigstore.verify() function was accepted by the public API, but ultimately disregarded during the verification process. As a result, necessary certificate extension OIDs that restrict which certificates are permitted to sign artifacts were not verified. This oversight could allow unauthorized certificates to be accepted, potentially exposing applications to security risks. This issue was addressed in version 4.1.1.
Affected Version(s)
sigstore-js < 4.1.1
