PT-2026-55205 · Npm · @Sigstore/Verify
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-48816
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
sigstore-js derives a transparency-log timestamp from
tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind integratedTime. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing integratedTime.impact
If a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap:
integratedTime is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.affected code
packages/verify/src/bundle/index.ts(adds a transparency-log timestamp wheneverintegratedTime != 0)packages/verify/src/timestamp/index.ts(convertsintegratedTimeto aDate)packages/verify/src/verifier.ts(verifies timestamps before verifying tlog inclusion)packages/verify/src/tlog/index.ts+packages/verify/src/tlog/set.ts(only the inclusionPromise/set path bindsintegratedTime)
proof of concept
The attached
poc.zip contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.repro:
- extract
poc.zipinto a fresh directory and run the make targets:
bash
unzip poc.zip -d poc
cd poc/poc-F-SIG-JS-TLOGTIME-001
make canonical
make control- confirm
canonical.logincludes:
[CALLSITE HIT]:
[PROOF MARKER]:- confirm
control.logincludes:
[NC MARKER]:suggested fix
Only treat
integratedTime as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count integratedTime toward timestampThreshold, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).poc.zip
[PR DESCRIPTION.md](https://github.com/user-attachments/files/25643660/PR DESCRIPTION.md)
SUBMISSION.md
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Sigstore/Verify