CVE-2025-66506

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Fulcio versions prior to 1.8.3

Description Fulcio is a certificate authority for issuing code signing certificates for OpenID Connect (OIDC) identity. The identity.extractIssuerURL function splits its input, which is untrusted data, on periods. A malicious request with a large number of period characters in the OIDC identity token payload can cause the function to allocate memory proportional to the input length, potentially leading to excessive memory consumption.

Recommendations Update to version 1.8.3 or later.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405

Related Identifiers

CLEANSTART-2026-HF07497

CVE-2025-66506

ECHO-8C75-2B8F-1138

GHSA-F83F-XPX7-FFPW

GO-2025-4193

SUSE-SU-2025:4395-1

Affected Products

Debian

Fulcio

CVE-2025-66506

Weakness Enumeration

Related Identifiers

Affected Products

References · 123