GHSA-xgjw-pm74-86q4

Suggest an improvement
Source
https://github.com/advisories/GHSA-xgjw-pm74-86q4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-xgjw-pm74-86q4/GHSA-xgjw-pm74-86q4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xgjw-pm74-86q4
Aliases
  • CVE-2026-48816
Published
2026-07-01T19:57:45Z
Modified
2026-07-01T20:15:09.887647075Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
sigstore-js has Insufficient Verification of Data Authenticity
Details

sigstore-js derives a transparency-log timestamp from tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind integratedTime. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing integratedTime.

impact

If a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: integratedTime is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.

affected code

  • packages/verify/src/bundle/index.ts (adds a transparency-log timestamp whenever integratedTime != 0)
  • packages/verify/src/timestamp/index.ts (converts integratedTime to a Date)
  • packages/verify/src/verifier.ts (verifies timestamps before verifying tlog inclusion)
  • packages/verify/src/tlog/index.ts + packages/verify/src/tlog/set.ts (only the inclusionPromise/set path binds integratedTime)

proof of concept

The attached poc.zip contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.

repro: 1) extract poc.zip into a fresh directory and run the make targets:

unzip poc.zip -d poc
cd poc/poc-F-SIG-JS-TLOGTIME-001
make canonical
make control

2) confirm canonical.log includes:

[CALLSITE_HIT]:
[PROOF_MARKER]:

3) confirm control.log includes:

[NC_MARKER]:

suggested fix

Only treat integratedTime as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count integratedTime toward timestampThreshold, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).

poc.zip PR_DESCRIPTION.md SUBMISSION.md

Database specific
{
    "github_reviewed_at": "2026-07-01T19:57:45Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-345"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / @sigstore/verify

Package

Name
@sigstore/verify
View open source insights on deps.dev
Purl
pkg:npm/%40sigstore%2Fverify

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0
Fixed
3.1.1

Affected versions

3.*
3.1.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-xgjw-pm74-86q4/GHSA-xgjw-pm74-86q4.json"