Cybersecurity Vulnerabilities

CVE-2025-66564: Critical Denial of Service Vulnerability Found in Sigstore Timestamp Authority

December 5, 2025 - By 

Overview

A high-severity vulnerability, identified as CVE-2025-66564, has been discovered in the Sigstore Timestamp Authority. This vulnerability can lead to a Denial of Service (DoS) attack. The issue stems from improper handling of untrusted data within the `api.ParseJSONRequest` and `api.getContentType` functions. Versions prior to 2.0.3 are affected. It is highly recommended to upgrade to version 2.0.3 to mitigate this risk.

Technical Details

The vulnerability resides in the `api.ParseJSONRequest` and `api.getContentType` functions within the Sigstore Timestamp Authority. Specifically:

  • `api.ParseJSONRequest`: This function splits an optionally-provided OID (Object Identifier) on periods using `strings.Split`. The OID is received as part of the request payload and is considered untrusted data. An attacker can craft a malicious request with an excessively long OID containing numerous period characters.
  • `api.getContentType`: This function splits the Content-Type header on the “application” string. As the Content-Type header is also considered untrusted data, this allows an attacker to cause a similar issue with a malformed header.

Both cases result in allocations of O(n) bytes, where ‘n’ represents the length of the untrusted input argument. By sending a specially crafted request with a very long OID or Content-Type, an attacker can exhaust server resources, leading to a Denial of Service.

CVSS Analysis

  • CVE ID: CVE-2025-66564
  • Severity: HIGH
  • CVSS Score: 7.5

A CVSS score of 7.5 indicates a high severity vulnerability. Exploitation of this vulnerability can lead to significant disruption of service without requiring authentication, making it easily exploitable.

Possible Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) attack, making the Sigstore Timestamp Authority unavailable to legitimate users. This can disrupt services relying on accurate and trusted timestamps provided by the Authority, impacting software supply chain security.

Mitigation or Patch Steps

The vulnerability has been fixed in version 2.0.3 of the Sigstore Timestamp Authority. To mitigate the risk, it is strongly recommended to:

  • Upgrade to version 2.0.3 or later. This version contains the necessary fixes to prevent the excessive memory allocation caused by malicious requests.
  • Monitor system resource usage. Implement monitoring to detect unusual memory consumption or CPU usage patterns, which could indicate an ongoing attack.

References

Sigstore Timestamp Authority Commit 0cae34e197d685a14904e0bad135b89d13b69421
Sigstore Timestamp Authority Security Advisory GHSA-4qg8-fj49-pxjh

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *