Lucene search
K

13 matches found

Veracode
Veracode
added 2026/03/26 11:22 a.m.6 views

Denial Of Service (DoS)

github.com/sigstore/fulcio is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient handling of untrusted input in the extractIssuerURL function, which allows an attacker to supply a token with excessive period characters to trigger high memory allocations and degrade servi...

7.5CVSS6.8AI score0.00191EPSS
Exploits0References3Affected Software1
Amazon
Amazon
added 2026/01/07 12:0 a.m.8 views

Medium: runfinch-finch

Issue Overview: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. CVE-2025-47914 SSH servers parsing GSSAPI authentication requests do not validate the number...

7.5CVSS7.2AI score0.00533EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2025/12/11 5:22 a.m.3 views

CVE-2025-66506

A flaw was found in Fulcio, a free-to-use certificate authority. This vulnerability allows a denial of service DoS due to excessive memory allocation when processing a malicious OpenID Connect OIDC identity token containing numerous period characters...

7.5CVSS6AI score0.00191EPSS
Exploits0References5
OSV
OSV
added 2025/12/05 6:18 p.m.5 views

GHSA-F83F-XPX7-FFPW Fulcio allocates excessive memory during token parsing

Function identity.extractIssuerURL currently splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request with an invalid OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs...

7.5CVSS6.8AI score0.00191EPSS
Exploits0References4
EUVD
EUVD
added 2025/12/05 6:18 p.m.4 views

EUVD-2025-201293

Fulcio allocates excessive memory during token parsing...

7.5CVSS6.4AI score0.00191EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/12/05 6:18 p.m.7 views

Fulcio allocates excessive memory during token parsing

Function identity.extractIssuerURL currently splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious request with an invalid OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs...

7.5CVSS6.9AI score0.00191EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2025/12/04 10:15 p.m.6 views

CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

7.5CVSS0.00191EPSS
Exploits0References2
OSV
OSV
added 2025/12/04 10:15 p.m.2 views

DEBIAN-CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

7.5CVSS6.4AI score0.00191EPSS
Exploits0References1
OSV
OSV
added 2025/12/04 10:15 p.m.4 views

UBUNTU-CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

7.5CVSS6.4AI score0.00191EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2025/12/04 10:4 p.m.3 views

CVE-2025-66506

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

7.5CVSS6.4AI score0.00191EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2025/12/04 10:4 p.m.2 views

CVE-2025-66506 Fulcio allocates excessive memory during token parsing

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect OIDC identity. Prior to 1.8.3, function identity.extractIssuerURL splits via a call to strings.Split its argument which is untrusted data on periods. As a result, in the face of a malicious...

7.5CVSS6.6AI score0.00191EPSS
Exploits0References2
CVE
CVE
added 2025/12/04 10:4 p.m.51 views

CVE-2025-66506

CVE-2025-66506 affects Fulcio prior to 1.8.3. The identity.extractIssuerURL function splits the untrusted OIDC identity token on periods, which can incur O(n) memory allocations when receiving tokens with many dots. This could lead to resource consumption under malicious input. The issue is fixed...

7.5CVSS6.6AI score0.00191EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/04 12:0 a.m.2 views

PT-2025-49168

Name of the Vulnerable Software and Affected Versions Fulcio versions prior to 1.8.3 Description Fulcio is a certificate authority for issuing code signing certificates for OpenID Connect OIDC identity. The identity.extractIssuerURL function splits its input, which is untrusted data, on periods. ...

7.5CVSS6.8AI score0.00191EPSS
Exploits0References7
Rows per page
Query Builder