Overview
CVE-2025-66506 is a high-severity denial-of-service (DoS) vulnerability affecting Fulcio, a free-to-use certificate authority for issuing code signing certificates based on OpenID Connect (OIDC) identities. This vulnerability, present in versions prior to 1.8.3, stems from inefficient string processing within the identity.extractIssuerURL function. By exploiting this flaw, a malicious actor can craft requests with specially designed OIDC identity tokens to trigger excessive memory allocation, leading to a denial of service.
Technical Details
The vulnerability lies in the identity.extractIssuerURL function within Fulcio. This function is responsible for extracting the issuer URL from an OIDC identity token. Prior to version 1.8.3, the function uses strings.Split to split the input string (which is untrusted user data) on period characters (.). An attacker can exploit this by providing an OIDC identity token containing an excessive number of periods. The strings.Split function allocates memory proportional to the number of substrings generated. Specifically, the allocation is around O(n) bytes, with a constant factor of approximately 16, where n is the length of the attacker-controlled input string. By sending requests with very long strings containing many periods, an attacker can exhaust the server’s memory, leading to a denial of service.
CVSS Analysis
- CVSS Score: 7.5 (HIGH)
A CVSS score of 7.5 indicates a high severity vulnerability. While specific vector details were not provided in the prompt, a high score generally suggests that the vulnerability is remotely exploitable and could significantly impact the availability of the Fulcio service.
Possible Impact
Successful exploitation of CVE-2025-66506 can lead to a denial-of-service condition, making the Fulcio certificate authority unavailable. This can prevent developers from obtaining code signing certificates, disrupting software development and deployment pipelines that rely on Fulcio for code signing assurance.
Mitigation or Patch Steps
The vulnerability is fixed in Fulcio version 1.8.3. Users are strongly advised to upgrade to version 1.8.3 or later as soon as possible. If upgrading is not immediately feasible, consider implementing rate limiting and input validation to restrict the size and structure of OIDC identity tokens being processed. This will limit the potential impact of malicious requests.
To upgrade Fulcio, follow the instructions provided in the official Fulcio documentation.
