CVE-2025-66506
📋 TL;DR
This vulnerability in Fulcio allows attackers to cause resource exhaustion through a denial-of-service attack by sending malicious OIDC identity tokens containing many period characters. The vulnerability affects Fulcio servers prior to version 1.8.3 that process untrusted identity tokens. Attackers can trigger excessive memory allocations that could crash or degrade service availability.
💻 Affected Systems
- Fulcio
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Fulcio certificate authority, preventing code signing operations and disrupting software supply chain security workflows.
Likely Case
Degraded performance or temporary service unavailability due to memory exhaustion, requiring manual intervention to restore service.
If Mitigated
Minimal impact with proper rate limiting, request validation, and resource monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted OIDC identity tokens; no authentication needed as Fulcio accepts certificate signing requests from untrusted sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.3
Vendor Advisory: https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
Restart Required: Yes
Instructions:
1. Stop Fulcio service. 2. Update to version 1.8.3 or later using package manager or direct download. 3. Restart Fulcio service. 4. Verify service is running correctly.
🔧 Temporary Workarounds
Rate limiting
allImplement request rate limiting to prevent mass exploitation attempts
# Configure rate limiting in your reverse proxy or load balancer
# Example nginx: limit_req_zone $binary_remote_addr zone=fulcio:10m rate=10r/s;
Request size limiting
allLimit maximum request size to prevent large malicious payloads
# Configure in web server or application
# Example: client_max_body_size 1M; in nginx
🧯 If You Can't Patch
- Implement strict input validation to reject OIDC tokens with excessive periods before processing
- Deploy behind a WAF with DoS protection rules and request inspection capabilities
🔍 How to Verify
Check if Vulnerable:
Check Fulcio version: if version < 1.8.3, system is vulnerableCheck Version:
fulcio versionVerify Fix Applied:
Verify Fulcio version is 1.8.3 or later and test with sample requests📡 Detection & Monitoring
Log Indicators:
- High memory usage spikes
- Process crashes or restarts
- Requests with unusually large OIDC tokens
- Error logs mentioning memory allocation failures
Network Indicators:
- Unusually large HTTP requests to Fulcio endpoints
- High volume of requests from single sources
- Requests containing OIDC tokens with many period characters
SIEM Query:
source="fulcio" AND (memory_usage>90% OR error="out of memory" OR request_size>100KB)