Morwn

**Name of the Vulnerable Software and Affected Versions** Fulcio versions prior to 1.8.5 **Description** Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. The `metaRegex()` function uses unanchored regular expressions, potentially allowing attackers to bypass MetaIssuer URL validation and trigger Server-Side Request Forgery (SSRF) to internal services. The SSRF is limited to GET requests and does not allow data exfiltration, but could be used for blind SSRF probing of an internal network. **Recommendations** Update to Fulcio version 1.8.5 or later.