CVE-2025-66564: CWE-405: Asymmetric Resource Consumption (Amplification) in sigstore timestamp-authority
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
AI Analysis
Technical Summary
CVE-2025-66564 is a vulnerability classified under CWE-405 (Asymmetric Resource Consumption) affecting the sigstore timestamp-authority service, which issues RFC 3161 timestamps used in software supply chain security. The root cause lies in the handling of untrusted input data in two functions: api.ParseJSONRequest and api.getContentType. Specifically, api.ParseJSONRequest processes an optionally provided OID string by splitting it on periods using strings.Split, while api.getContentType splits the Content-Type header on an application string. Both inputs are attacker-controlled and can be crafted to contain excessively long strings with many delimiters. This causes the functions to allocate memory linearly proportional to the input length (O(n)), which can be exploited to consume disproportionate server resources. The vulnerability impacts availability by enabling denial-of-service attacks through resource exhaustion. It does not affect confidentiality or integrity, requires no privileges or user interaction, and can be triggered remotely over the network. The vulnerability was addressed and fixed in sigstore timestamp-authority version 2.0.3. No known exploits are currently reported in the wild, but the high CVSS score (7.5) reflects the ease of exploitation and potential impact on service availability.
Potential Impact
For European organizations, the primary impact of CVE-2025-66564 is the risk of denial-of-service attacks against infrastructure components relying on the sigstore timestamp-authority service. This service is critical in software supply chain security, providing trusted timestamps for code signing and artifact verification. Disruption could delay or block software deployment pipelines, impacting development velocity and operational continuity. Organizations heavily invested in open source software development, continuous integration/continuous deployment (CI/CD) pipelines, or those that integrate sigstore for artifact verification are at heightened risk. The attack requires no authentication, increasing the threat surface. While no data confidentiality or integrity is compromised, availability degradation can have cascading effects on business operations and trust in software provenance. Additionally, the vulnerability could be leveraged as part of a broader attack chain targeting software supply chains, which are strategic assets in Europe’s digital economy.
Mitigation Recommendations
European organizations should immediately upgrade all instances of sigstore timestamp-authority to version 2.0.3 or later, where this vulnerability is fixed. Until patching is complete, implement network-level protections such as rate limiting and input validation proxies to detect and block anomalously large or malformed OID and Content-Type header values. Monitoring and alerting on unusual spikes in memory or CPU usage on timestamp-authority servers can provide early warning of exploitation attempts. Employ Web Application Firewalls (WAFs) configured to inspect and limit header lengths and payload sizes. Incorporate this vulnerability into incident response playbooks to quickly isolate affected services if exploitation is suspected. Finally, review and harden software supply chain security policies to ensure timely updates of critical infrastructure components.
Affected Countries
Germany, France, Netherlands, United Kingdom, Sweden, Finland
CVE-2025-66564: CWE-405: Asymmetric Resource Consumption (Amplification) in sigstore timestamp-authority
Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-66564 is a vulnerability classified under CWE-405 (Asymmetric Resource Consumption) affecting the sigstore timestamp-authority service, which issues RFC 3161 timestamps used in software supply chain security. The root cause lies in the handling of untrusted input data in two functions: api.ParseJSONRequest and api.getContentType. Specifically, api.ParseJSONRequest processes an optionally provided OID string by splitting it on periods using strings.Split, while api.getContentType splits the Content-Type header on an application string. Both inputs are attacker-controlled and can be crafted to contain excessively long strings with many delimiters. This causes the functions to allocate memory linearly proportional to the input length (O(n)), which can be exploited to consume disproportionate server resources. The vulnerability impacts availability by enabling denial-of-service attacks through resource exhaustion. It does not affect confidentiality or integrity, requires no privileges or user interaction, and can be triggered remotely over the network. The vulnerability was addressed and fixed in sigstore timestamp-authority version 2.0.3. No known exploits are currently reported in the wild, but the high CVSS score (7.5) reflects the ease of exploitation and potential impact on service availability.
Potential Impact
For European organizations, the primary impact of CVE-2025-66564 is the risk of denial-of-service attacks against infrastructure components relying on the sigstore timestamp-authority service. This service is critical in software supply chain security, providing trusted timestamps for code signing and artifact verification. Disruption could delay or block software deployment pipelines, impacting development velocity and operational continuity. Organizations heavily invested in open source software development, continuous integration/continuous deployment (CI/CD) pipelines, or those that integrate sigstore for artifact verification are at heightened risk. The attack requires no authentication, increasing the threat surface. While no data confidentiality or integrity is compromised, availability degradation can have cascading effects on business operations and trust in software provenance. Additionally, the vulnerability could be leveraged as part of a broader attack chain targeting software supply chains, which are strategic assets in Europe’s digital economy.
Mitigation Recommendations
European organizations should immediately upgrade all instances of sigstore timestamp-authority to version 2.0.3 or later, where this vulnerability is fixed. Until patching is complete, implement network-level protections such as rate limiting and input validation proxies to detect and block anomalously large or malformed OID and Content-Type header values. Monitoring and alerting on unusual spikes in memory or CPU usage on timestamp-authority servers can provide early warning of exploitation attempts. Employ Web Application Firewalls (WAFs) configured to inspect and limit header lengths and payload sizes. Incorporate this vulnerability into incident response playbooks to quickly isolate affected services if exploitation is suspected. Finally, review and harden software supply chain security policies to ensure timely updates of critical infrastructure components.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-04T16:05:22.975Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69321040c0111c56163950c9
Added to database: 12/4/2025, 10:50:40 PM
Last enriched: 12/12/2025, 12:13:29 AM
Last updated: 1/19/2026, 2:11:05 AM
Views: 184
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1132: SQL Injection in Yonyou KSOA
MediumCVE-2026-1131: SQL Injection in Yonyou KSOA
MediumCVE-2026-1130: SQL Injection in Yonyou KSOA
MediumCVE-2026-1129: SQL Injection in Yonyou KSOA
MediumCVE-2026-23829: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in axllent mailpit
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.