Bug 2419056 (CVE-2025-66506) - CVE-2025-66506 github.com/sigstore/fulcio: Fulcio: Denial of Service via crafted OpenID Connect (OIDC) token
Summary: CVE-2025-66506 github.com/sigstore/fulcio: Fulcio: Denial of Service via craf...
Keywords:
Status: NEW
Alias: CVE-2025-66506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2421876 2421877 2421878 2421881 2421882 2421883 2421887 2421888 2421889 2421890 2421892 2421893 2421894 2421895 2421896 2421902 2421903 2421904 2421905 2421906 2421907 2421908 2421909 2421875 2421879 2421880 2421884 2421885 2421886 2421897 2421898 2421899 2421900 2421901 2421910 2421911
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-04 23:02 UTC by OSIDB Bzimport
Modified: 2025-12-12 21:39 UTC (History)
110 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-04 23:02:15 UTC 
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.
Note You need to log in before you can comment on or make changes to this bug.