PT-2026-55205 · Npm · @Sigstore/Verify

Publicado

2026-07-01

·

Atualizado

2026-07-01

·

CVE-2026-48816

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
sigstore-js derives a transparency-log timestamp from tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind integratedTime. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing integratedTime.

impact

If a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: integratedTime is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.

affected code

  • packages/verify/src/bundle/index.ts (adds a transparency-log timestamp whenever integratedTime != 0)
  • packages/verify/src/timestamp/index.ts (converts integratedTime to a Date)
  • packages/verify/src/verifier.ts (verifies timestamps before verifying tlog inclusion)
  • packages/verify/src/tlog/index.ts + packages/verify/src/tlog/set.ts (only the inclusionPromise/set path binds integratedTime)

proof of concept

The attached poc.zip contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.
repro:
  1. extract poc.zip into a fresh directory and run the make targets:
bash
unzip poc.zip -d poc
cd poc/poc-F-SIG-JS-TLOGTIME-001
make canonical
make control
  1. confirm canonical.log includes:
[CALLSITE HIT]:
[PROOF MARKER]:
  1. confirm control.log includes:
[NC MARKER]:

suggested fix

Only treat integratedTime as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count integratedTime toward timestampThreshold, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).

Correção

Insufficient Verification of Data Authenticity

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-48816
GHSA-XGJW-PM74-86Q4

Produtos afetados

@Sigstore/Verify