The vulnerability identified as CVE-2025-66564 affects the sigstore timestamp-authority service, which issues RFC 3161 timestamps used for cryptographic signing and verification. Prior to version 2.0.3, the service's api.ParseJSONRequest function processes an optionally provided OID string by splitting it on period characters, and the api.getContentType function similarly splits the Content-Type header string. Both inputs are untrusted and can be manipulated by an attacker. When these inputs contain an excessively large number of period characters or are malformed, the splitting operations cause the service to allocate memory linearly proportional to the input length (O(n)). This asymmetric resource consumption can be exploited to amplify resource usage on the server side, potentially leading to denial of service conditions by exhausting memory or CPU resources. The vulnerability does not affect confidentiality or integrity but severely impacts availability. Exploitation requires no privileges or user interaction and can be performed remotely over the network. The issue was addressed in sigstore timestamp-authority version 2.0.3 by improving input validation and handling to prevent excessive resource allocation.

For European organizations, the primary impact of this vulnerability is the risk of denial of service attacks against services relying on the sigstore timestamp-authority for timestamping digital signatures. This could disrupt software supply chain security processes, code signing verification, and other cryptographic workflows dependent on trusted timestamps. Organizations in sectors with stringent software integrity requirements, such as finance, healthcare, and critical infrastructure, may face operational interruptions and compliance challenges. The vulnerability's ease of exploitation and lack of required authentication increase the risk of widespread attacks, potentially affecting cloud providers, software vendors, and enterprises using sigstore timestamp-authority. While no data breach or code tampering is directly enabled, service unavailability could delay critical security operations and undermine trust in digital signatures.

European organizations should immediately upgrade all instances of sigstore timestamp-authority to version 2.0.3 or later, where the vulnerability is fixed. In addition, implement network-level protections such as rate limiting and input size validation on incoming requests to the timestamp-authority service to reduce the risk of resource exhaustion. Monitoring and alerting on unusual spikes in resource usage or malformed request patterns targeting the OID or Content-Type fields can provide early detection of exploitation attempts. Employ web application firewalls (WAFs) with custom rules to block requests containing excessively long or malformed OID strings or Content-Type headers. Conduct regular audits of software supply chain components to ensure all dependencies are up to date and free from known vulnerabilities. Finally, consider isolating the timestamp-authority service in a dedicated environment with resource quotas to limit the impact of potential attacks.