Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66564.json",
"cwe_ids": [
"CWE-405"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:linuxfoundation:sigstore_timestamp_authority:*:*:*:*:*:*:*:*"
}