Bug 2419056 (CVE-2025-66506)

Summary: CVE-2025-66506 github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abarbaro, adistefa, akoudelk, alcohan, alinfoot, alizardo, anjoseph, anpicker, aprice, bbrownin, bdettelb, bparees, carogers, dfreiber, dhanak, doconnor, drosa, drow, dsimansk, dtrifiro, dymurray, eglynn, erezende, gparvin, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jchui, jfula, jhe, jjoyce, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jsamir, jschluet, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lgamliel, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, manissin, matzew, mburns, mgarciac, mnovotny, nboldt, ngough, nweather, nyancey, oezr, ometelka, owatkins, pahickey, pakotvan, pbraun, pgaikwad, pgrist, psrna, ptisnovs, rbobbitt, rbryant, rfreiman, rhaigner, rjohnson, rojacob, sakbas, sausingh, sdawley, shvarugh, simaishi, slucidi, smcdonal, sseago, stcannon, sthirugn, syedriko, teagle, tfister, thavo, veshanka, vkumar, weaton, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service (DoS) due to excessive memory allocation when processing a malicious OpenID Connect (OIDC) identity token containing numerous period characters.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2421876, 2421877, 2421878, 2421881, 2421882, 2421883, 2421887, 2421888, 2421889, 2421890, 2421892, 2421893, 2421894, 2421895, 2421896, 2421902, 2421903, 2421904, 2421905, 2421906, 2421907, 2421908, 2421909, 2421875, 2421879, 2421880, 2421884, 2421885, 2421886, 2421897, 2421898, 2421899, 2421900, 2421901, 2421910, 2421911    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-04 23:02:15 UTC 
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.