Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for sigstore-js by sigstore

    CVE-2026-48816 (GCVE-0-2026-48816)

    Vulnerability from nvd – Published: 2026-07-14 20:39 – Updated: 2026-07-15 14:26
    VLAI
    Title
    sigstore-js: Insufficient Verification of Data Authenticity
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 3.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48816",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:25:32.204796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:26:01.060Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:39:05.532Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1659",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1659"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/f074710a91ea9260a9ac2142345634579843a3cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/f074710a91ea9260a9ac2142345634579843a3cd"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fverify%403.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fverify%403.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-xgjw-pm74-86q4",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: Insufficient Verification of Data Authenticity"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48816",
        "datePublished": "2026-07-14T20:39:05.532Z",
        "dateReserved": "2026-05-22T20:57:10.976Z",
        "dateUpdated": "2026-07-15T14:26:01.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48815 (GCVE-0-2026-48815)

    Vulnerability from nvd – Published: 2026-07-14 20:27 – Updated: 2026-07-15 12:56
    VLAI
    Title
    sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 4.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48815",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:56:21.913994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:56:29.848Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:27:16.925Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1658"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-52v5-jr5w-gjxr",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48815",
        "datePublished": "2026-07-14T20:27:16.925Z",
        "dateReserved": "2026-05-22T20:57:10.976Z",
        "dateUpdated": "2026-07-15T12:56:29.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48758 (GCVE-0-2026-48758)

    Vulnerability from nvd – Published: 2026-07-14 20:36 – Updated: 2026-07-15 12:54
    VLAI
    Title
    sigstore-js: DSSE payloadType type-binding failure
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 3.2.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48758",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:54:43.124124Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:54:55.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.2.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:36:28.641Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1657",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1657"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fcore%403.2.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fcore%403.2.1"
            }
          ],
          "source": {
            "advisory": "GHSA-jfc7-64v2-mr8c",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: DSSE payloadType type-binding failure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48758",
        "datePublished": "2026-07-14T20:36:28.641Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-15T12:54:55.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59891 (GCVE-0-2026-59891)

    Vulnerability from nvd – Published: 2026-07-14 16:54 – Updated: 2026-07-14 16:54
    VLAI
    Title
    Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 0.7.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.7.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:54:50.608Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-pf56-329r-95rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-pf56-329r-95rw"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/85c58380758b97ce1b74ef470e55cc21f9d3aa89",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/85c58380758b97ce1b74ef470e55cc21f9d3aa89"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Foci%400.7.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Foci%400.7.1"
            }
          ],
          "source": {
            "advisory": "GHSA-pf56-329r-95rw",
            "discovery": "UNKNOWN"
          },
          "title": "Credential confusion in \u00a0@sigstore/oci\u00a0 can leak registry credentials to an attacker-controlled registry"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59891",
        "datePublished": "2026-07-14T16:54:50.608Z",
        "dateReserved": "2026-07-07T16:40:07.983Z",
        "dateUpdated": "2026-07-14T16:54:50.608Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48816 (GCVE-0-2026-48816)

    Vulnerability from cvelistv5 – Published: 2026-07-14 20:39 – Updated: 2026-07-15 14:26
    VLAI
    Title
    sigstore-js: Insufficient Verification of Data Authenticity
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 3.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48816",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:25:32.204796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:26:01.060Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:39:05.532Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1659",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1659"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/f074710a91ea9260a9ac2142345634579843a3cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/f074710a91ea9260a9ac2142345634579843a3cd"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fverify%403.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fverify%403.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-xgjw-pm74-86q4",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: Insufficient Verification of Data Authenticity"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48816",
        "datePublished": "2026-07-14T20:39:05.532Z",
        "dateReserved": "2026-05-22T20:57:10.976Z",
        "dateUpdated": "2026-07-15T14:26:01.060Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48758 (GCVE-0-2026-48758)

    Vulnerability from cvelistv5 – Published: 2026-07-14 20:36 – Updated: 2026-07-15 12:54
    VLAI
    Title
    sigstore-js: DSSE payloadType type-binding failure
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 3.2.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48758",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:54:43.124124Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:54:55.445Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.2.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:36:28.641Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-jfc7-64v2-mr8c"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1657",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1657"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/b5aa4f1f8d2db0a9dfa6430fb114d9c2f1c304f7"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fcore%403.2.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Fcore%403.2.1"
            }
          ],
          "source": {
            "advisory": "GHSA-jfc7-64v2-mr8c",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: DSSE payloadType type-binding failure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48758",
        "datePublished": "2026-07-14T20:36:28.641Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-15T12:54:55.445Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48815 (GCVE-0-2026-48815)

    Vulnerability from cvelistv5 – Published: 2026-07-14 20:27 – Updated: 2026-07-15 12:56
    VLAI
    Title
    sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 4.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48815",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T12:56:21.913994Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T12:56:29.848Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T20:27:16.925Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/pull/1658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/pull/1658"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1"
            }
          ],
          "source": {
            "advisory": "GHSA-52v5-jr5w-gjxr",
            "discovery": "UNKNOWN"
          },
          "title": "sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48815",
        "datePublished": "2026-07-14T20:27:16.925Z",
        "dateReserved": "2026-05-22T20:57:10.976Z",
        "dateUpdated": "2026-07-15T12:56:29.848Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59891 (GCVE-0-2026-59891)

    Vulnerability from cvelistv5 – Published: 2026-07-14 16:54 – Updated: 2026-07-14 16:54
    VLAI
    Title
    Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry
    Summary
    sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    sigstore sigstore-js Affected: < 0.7.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "sigstore-js",
              "vendor": "sigstore",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.7.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.6,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T16:54:50.608Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-pf56-329r-95rw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-pf56-329r-95rw"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/commit/85c58380758b97ce1b74ef470e55cc21f9d3aa89",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/commit/85c58380758b97ce1b74ef470e55cc21f9d3aa89"
            },
            {
              "name": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Foci%400.7.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/sigstore/sigstore-js/releases/tag/%40sigstore%2Foci%400.7.1"
            }
          ],
          "source": {
            "advisory": "GHSA-pf56-329r-95rw",
            "discovery": "UNKNOWN"
          },
          "title": "Credential confusion in \u00a0@sigstore/oci\u00a0 can leak registry credentials to an attacker-controlled registry"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-59891",
        "datePublished": "2026-07-14T16:54:50.608Z",
        "dateReserved": "2026-07-07T16:40:07.983Z",
        "dateUpdated": "2026-07-14T16:54:50.608Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }