CVE-2025-66564
📋 TL;DR
This CVE describes a resource exhaustion vulnerability in Sigstore Timestamp Authority where malicious requests with excessively long OIDs or malformed Content-Type headers can cause excessive memory allocations. This affects anyone running Sigstore Timestamp Authority versions before 2.0.3, potentially leading to denial of service.
💻 Affected Systems
- Sigstore Timestamp Authority
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, potentially affecting timestamping services for dependent applications.
Likely Case
Degraded performance or intermittent service disruptions under targeted attack.
If Mitigated
Minimal impact with proper rate limiting and request validation in place.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to the vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.3
Vendor Advisory: https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh
Restart Required: Yes
Instructions:
1. Stop the timestamp authority service. 2. Update to version 2.0.3 or later. 3. Restart the service.
🔧 Temporary Workarounds
Rate Limiting
allImplement request rate limiting to prevent mass exploitation attempts.
# Configure rate limiting in your reverse proxy or load balancer
Input Validation
allAdd WAF rules or middleware to reject requests with excessively long OIDs or malformed headers.
# Example nginx rule: location /api/ { limit_req zone=api; }
🧯 If You Can't Patch
- Implement strict rate limiting and request size limits
- Deploy behind a WAF with rules to block malicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if running Sigstore Timestamp Authority version < 2.0.3Check Version:
./timestamp-authority --versionVerify Fix Applied:
Confirm version is 2.0.3 or later and test with normal timestamp requests📡 Detection & Monitoring
Log Indicators:
- Unusually large request payloads
- Multiple failed requests with malformed headers
- Memory usage spikes
Network Indicators:
- Requests with extremely long OID parameters
- Malformed Content-Type headers
SIEM Query:
source="timestamp-authority" AND (request_size>10000 OR status=400)