PT-2025-49174 · Unknown+1 · Sigstore Timestamp Authority+1

Published

2025-01-01

Updated

2026-05-18

CVE-2025-66564

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Sigstore Timestamp Authority versions prior to 2.0.3

Description Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. The api.ParseJSONRequest and api.getContentType functions are susceptible to a denial-of-service issue due to excessive memory allocation. Specifically, these functions split untrusted data—an Object Identifier (OID) in the payload and the Content-Type header—on period characters and an application string, respectively. A malicious request containing a lengthy OID with numerous periods or a malformed Content-Type header can cause these functions to allocate memory proportional to the input length, potentially leading to a denial of service. The vulnerable functions are api.ParseJSONRequest and api.getContentType.

Recommendations Update to version 2.0.3 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-405

Related Identifiers

CLEANSTART-2026-BD19566

CLEANSTART-2026-EZ47382

CLEANSTART-2026-GK29346

CLEANSTART-2026-HF07497

CLEANSTART-2026-NS33477

CLEANSTART-2026-NV36169

CLEANSTART-2026-WB12909

CVE-2025-66564

ECHO-F7D3-2463-68E7

GHSA-4QG8-FJ49-PXJH

GO-2025-4192

OPENSUSE-SU-2026:10131-1

OPENSUSE-SU-2026:20191-1

SUSE-SU-2025:4395-1

Affected Products

Debian

Sigstore Timestamp Authority

PT-2025-49174 · Unknown+1 · Sigstore Timestamp Authority+1

CVE-2025-66564

Weakness Enumeration

Related Identifiers

Affected Products

References · 197