CVE-2023-25656

Name of the Vulnerable Software and Affected Versions notation-go versions prior to 1.0.0-rc.3

Description The issue causes excessive memory consumption when verifying signatures, leading to application crashes and impacting availability. Users can review their trust policy file for the identity string containing =# and ensure only trusted certificates are in their trust stores with authenticity validation set to enforce.

Recommendations For versions prior to 1.0.0-rc.3, upgrade to version 1.0.0-rc.3 or above. As a temporary workaround, review your trust policy file and check if the identity string contains =#. Meanwhile, only put trusted certificates in your trust stores referenced by your trust policy files, and make sure the authenticity validation is set to enforce.