Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

sigstore — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting sigstore. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Sigstore is an open-source infrastructure project designed to provide transparent, secure artifact signing and verification, primarily serving the software supply chain by enabling developers to sign code and verify provenance without managing complex key infrastructure. Despite its utility, the project has recorded 27 Common Vulnerabilities and Exposures (CVEs), reflecting a history of security challenges typical for complex cryptographic systems. These vulnerabilities have predominantly included remote code execution, privilege escalation, and improper access control issues, often stemming from implementation flaws in its signing or verification components. While no single catastrophic breach has defined its public history, the cumulative nature of these CVEs highlights the inherent risks in maintaining critical security tooling. The project continues to address these issues through rigorous auditing and community-driven patches, aiming to maintain trust in its cryptographic guarantees for modern software distribution pipelines.

Top products by sigstore: cosign rekor gitsign sigstore-java sigstore-python fulcio timestamp-authority policy-controller sigstore-go sigstore sigstore-ruby
CVE IDTitleCVSSSeverityPublished
CVE-2026-39984 Sigstore Timestamp Authority has Improper Certificate Validation in verifier — timestamp-authorityCWE-295 5.5 Medium2026-04-14
CVE-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails — cosignCWE-754 4.3 Medium2026-04-07
CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest — sigstore-rubyCWE-252 7.5 High2026-03-10
CVE-2026-24122 Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked — cosignCWE-295 3.7 Low2026-02-19
CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing — sigstore-pythonCWE-352--2026-01-26
CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal — sigstoreCWE-22 5.8 Medium2026-01-23
CVE-2026-24117 Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL — rekorCWE-918 5.3 Medium2026-01-22
CVE-2026-23831 Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message — rekorCWE-476 5.3 Medium2026-01-22
CVE-2026-22772 Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass — fulcioCWE-918 5.8 Medium2026-01-12
CVE-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions — cosignCWE-345 5.5 Medium2026-01-10
CVE-2025-66564 Sigstore Timestamp Authority allocates excessive memory during request parsing — timestamp-authorityCWE-405 7.5 High2025-12-04
CVE-2025-66506 Fulcio allocates excessive memory during token parsing — fulcioCWE-405 7.5 High2025-12-04
CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification — sigstore-pythonCWE-20 6.5 -2024-12-10
CVE-2024-54140 sigstore-java has a vulnerability with bundle verification — sigstore-javaCWE-20--2024-12-05
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java — sigstore-javaCWE-347 5.5 Medium2024-11-26
CVE-2024-51746 Use of incorrect Rekor entries during verification in gitsign — gitsignCWE-706 6.5 -2024-11-05
CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack — sigstore-goCWE-835 3.1 Low2024-09-04
CVE-2024-29903 Cosign vulnerable to machine-wide denial of service via malicious artifacts — cosignCWE-770 4.2 Medium2024-04-10
CVE-2024-29902 Cosign vulnerable to system-wide denial of service via malicious attachments — cosignCWE-770 4.2 Medium2024-04-10
CVE-2023-47122 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. — gitsignCWE-347 4.2 Medium2023-11-10
CVE-2023-46737 Possible endless data attack from attacker-controlled registry in cosign — cosignCWE-400 3.1 Low2023-11-07
CVE-2023-33199 malformed proposed intoto v0.0.2 entries can cause a panic in Rekor — rekorCWE-617 5.3 Medium2023-05-26
CVE-2023-30551 Rekor's compressed archives can result in OOM conditions — rekorCWE-770 7.5 High2023-05-08
CVE-2022-36056 Vulnerabilities with blob verification in sigstore cosign — cosignCWE-347 5.5 Medium2022-09-14
CVE-2022-35930 Ability to bypass attestation verification in sigstore PolicyController — policy-controllerCWE-347 7.1 High2022-08-04
CVE-2022-35929 False positive signature verification in cosign — cosignCWE-347 7.1 High2022-08-04
CVE-2022-23649 Improper Certificate Validation in Cosign — cosignCWE-295 3.3 Low2022-02-18

This page lists every published CVE security advisory associated with sigstore. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.