GHSA-hm8f-75xx-w2vr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hm8f-75xx-w2vr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hm8f-75xx-w2vr/GHSA-hm8f-75xx-w2vr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hm8f-75xx-w2vr
- Aliases
- Published
- 2026-01-26T21:34:50Z
- Modified
- 2026-02-03T03:05:58.077154Z
- Severity
-
- 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N CVSS Calculator
- Summary
- sigstore CSRF possibility in OIDC authentication during signing
- Details
-
Summary
The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery.
Details
_OAuthSessioncreates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value.Fix should be fairly trivial.
Impact
This should be low impact: A man-in-the middle attacker could trick a sigstore-python user into signing something with an identity controlled by the attacker (by returning the response to an authentication request they created). This would be quite confusing but not dangerous.
- Database specific
{ "github_reviewed_at": "2026-01-26T21:34:50Z", "github_reviewed": true, "nvd_published_at": "2026-01-26T23:16:08Z", "cwe_ids": [ "CWE-352" ], "severity": "LOW" }- References
-
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr
- https://nvd.nist.gov/vuln/detail/CVE-2026-24408
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa
- https://github.com/sigstore/sigstore-python
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0
Affected packages
PyPI / sigstore
Package
- Name
- sigstore
- View open source insights on deps.dev
- Purl
- pkg:pypi/sigstore
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.2.0
Affected versions
0.*
0.0.1rc1
0.0.1rc2
0.0.1rc3
0.1.0
0.2.0
0.3.1
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1rc1
0.5.1rc2
0.5.1
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.8.3
0.9.0
0.10.0
1.*
1.0.0rc1
1.0.0
1.1.0
1.1.1rc1
1.1.1
1.1.2rc1
1.1.2
2.*
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0
2.0.1
2.1.0
2.1.2
2.1.3
2.1.5
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.3
3.5.6
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
4.*
4.0.0
4.1.0