7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66564

CVE-2025-66564: Sigstore Timestamp Authority allocates excessive memory during request parsing

Impact

Excessive memory allocation

Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string.

As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Patches

Upgrade to v2.0.3.

Workarounds

There are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66564

CVE-2025-66564:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/sigstore/timestamp-authority	go	<= 2.0.2	2.0.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in two functions, api.ParseJSONRequest and api.getContentType, within the sigstore/timestamp-authority repository. Both functions were susceptible to excessive memory allocation, a vulnerability categorized under CWE-405: Asymmetric Resource Consumption. This was due to the unbounded use of strings.Split on user-controlled input.

In api.ParseJSONRequest, the TSAPolicyOID field from a JSON request was split by periods. An attacker could craft a request with a very long OID containing a large number of periods, causing the strings.Split function to create a very large slice of strings, leading to excessive memory allocation and a potential denial of service.

Similarly, in api.getContentType, the Content-Type HTTP header was split by the string "application/". A malicious user could send a request with a crafted Content-Type header containing numerous instances of "application/", triggering the same excessive memory allocation issue.

The patch for this vulnerability, found in commit 0cae34e197d685a14904e0bad135b89d13b69421, addresses these issues by replacing the unbounded strings.Split with strings.SplitN. This change limits the number of splits performed, thus mitigating the risk of excessive memory allocation. Additionally, a check on the number of separators was added before splitting the string.

Vulnerable functions

api.ParseJSONRequest

pkg/api/timestamp.go

The function `ParseJSONRequest` was vulnerable to excessive memory allocation because it used `strings.Split` on a user-provided OID without any limit. An attacker could provide a very long string with many periods, causing the application to allocate a large amount of memory, leading to a denial of service.

api.getContentType

pkg/api/timestamp.go

The function `getContentType` was vulnerable to excessive memory allocation because it used `strings.Split` on the `Content-Type` header without any limit. An attacker could provide a crafted header with many instances of "application/", causing the application to allocate a large amount of memory, leading to a denial of service.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66564: Sigstore Timestamp Authority allocates excessive memory during request parsing

Impact

Patches

Workarounds

CVE-2025-66564:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-66564: Sigstore Timestamp Authority allocates excessive memory during request parsing

Impact

Patches

Workarounds

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI