CVE-2025-66506 - Vulnerability Details

- Fulcio allocates excessive memory during token parsing

Description

Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.

Published: 2025-12-04

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

sigstore

fulcio

affected

Version	Status	Constraints
`< 1.8.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:fulcio:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Sigstore	Fulcio	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f83f-xpx7-ffpw	Fulcio allocates excessive memory during token parsing

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a
https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
https://nvd.nist.gov/vuln/detail/CVE-2025-66506
https://www.cve.org/CVERecord?id=CVE-2025-66506

History

Tue, 10 Mar 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation fulcio
CPEs		cpe:2.3:a:linuxfoundation:fulcio::::::::
Vendors & Products		Linuxfoundation Linuxfoundation fulcio

Thu, 11 Dec 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-66506 https://www.cve.org/CVERecord?id=CVE-2025-66506
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 05 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Dec 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sigstore Sigstore fulcio
Vendors & Products		Sigstore Sigstore fulcio

Thu, 04 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description		Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.
Title		Fulcio allocates excessive memory during token parsing
Weaknesses		CWE-405
References		https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Linuxfoundation Fulcio

Sigstore Fulcio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-04T22:04:41.637Z

Updated: 2025-12-05T15:32:25.591Z

Reserved: 2025-12-03T15:12:22.978Z

Link: CVE-2025-66506

Vulnrichment

Updated: 2025-12-05T15:32:21.138Z

NVD

Status : Analyzed

Published: 2025-12-04T22:15:49.503

Modified: 2026-03-10T19:30:53.470

Link: CVE-2025-66506

Redhat

Severity : Important

Publid Date: 2025-12-04T22:04:41Z

Links: CVE-2025-66506 - Bugzilla

OpenCVE Enrichment

Updated: 2025-12-05T10:52:21Z

Weaknesses

CWE-405

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object