CVE-2025-66506 is a vulnerability classified under CWE-405 (Asymmetric Resource Consumption) affecting the sigstore fulcio project, a free-to-use certificate authority that issues code signing certificates based on OpenID Connect (OIDC) identities. The flaw exists in versions prior to 1.8.3 within the function identity.extractIssuerURL, which processes untrusted OIDC identity tokens by splitting the input string on period characters using strings.Split. When a malicious actor submits an OIDC token containing an excessive number of periods, the function allocates memory proportional to the input length with a high constant factor (~16), leading to disproportionate resource consumption. This can cause the fulcio service to exhaust memory or CPU resources, resulting in denial of service (DoS). The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. Although it does not compromise confidentiality or integrity, the availability impact is significant. The issue was publicly disclosed on December 4, 2025, with a CVSS v3.1 score of 7.5 (high severity), reflecting its ease of exploitation and impact on availability. No known exploits are reported in the wild yet. The vulnerability is mitigated by upgrading fulcio to version 1.8.3, where the input handling logic has been corrected to prevent excessive allocations. Additional defensive measures include implementing input validation to limit the number of periods in OIDC tokens and applying rate limiting to reduce the risk of resource exhaustion attacks.

For European organizations, this vulnerability poses a significant risk to the availability of the sigstore fulcio service, which is critical for issuing code signing certificates used in software supply chains. Disruption of fulcio can delay or prevent code signing operations, potentially halting software deployment pipelines and impacting development velocity and security assurance processes. Organizations relying on automated signing and verification workflows may face operational downtime or forced manual interventions. While confidentiality and integrity remain unaffected, the denial of service potential can indirectly affect trust in software authenticity if signing services become unreliable. The risk is heightened for cloud service providers, software vendors, and enterprises with continuous integration/continuous deployment (CI/CD) pipelines that integrate sigstore fulcio. Given the remote, unauthenticated exploit vector, attackers can launch large-scale amplification attacks to degrade service availability. This could be leveraged as part of broader supply chain attacks or to disrupt critical software infrastructure. European entities involved in open source projects or those adopting sigstore for secure software signing should prioritize mitigation to maintain operational resilience.

1. Upgrade fulcio to version 1.8.3 or later immediately to apply the official fix addressing the resource consumption vulnerability. 2. Implement strict input validation on OIDC identity tokens before processing, specifically limiting the number of period characters allowed to prevent excessive splitting and memory allocation. 3. Deploy rate limiting and throttling mechanisms on endpoints handling OIDC tokens to mitigate the risk of large-scale or repeated malicious requests. 4. Monitor fulcio service resource usage and logs for abnormal spikes in memory or CPU consumption indicative of exploitation attempts. 5. Consider deploying web application firewalls (WAFs) or API gateways with custom rules to detect and block malformed OIDC tokens with excessive delimiters. 6. Incorporate anomaly detection for unusual request patterns targeting the certificate issuance service. 7. Educate development and security teams about the vulnerability and ensure secure coding practices when handling untrusted input in similar contexts. 8. Review and harden CI/CD pipeline dependencies on fulcio to include fallback or redundancy measures in case of service disruption.