Browse all 3 CVE security advisories affecting in-toto. AI-powered Chinese analysis, POCs, and references for each vulnerability.
In-toto is a framework designed to secure software supply chains by providing cryptographic verification of software integrity and provenance. Historically, it has been susceptible to remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been widely reported, the three documented CVEs highlight potential risks in its implementation. The framework's security relies heavily on proper key management and verification processes, with vulnerabilities typically arising from misconfigurations rather than inherent design flaws.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-62375 | go-witness Improper Verification of AWS EC2 Identity Documents — go-witnessCWE-295 | 9.1 | - | 2025-10-15 |
| CVE-2023-32076 | in-toto vulnerable to Configuration Read From Local Directory — in-totoCWE-15 | 5.5 | Medium | 2023-05-10 |
| CVE-2021-41087 | Improperly Implemented path matching for in-toto-golang — in-toto-golangCWE-345 | 5.6 | Medium | 2021-09-21 |
This page lists every published CVE security advisory associated with in-toto. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.