{"id":"GHSA-4qg8-fj49-pxjh","summary":"Sigstore Timestamp Authority allocates excessive memory during request parsing","details":"### Impact\n\n**Excessive memory allocation**\n\nFunction [api.ParseJSONRequest](https://github.com/sigstore/timestamp-authority/blob/26d7d426d3000abdbdf2df34de56bb92246c0365/pkg/api/timestamp.go#L63) currently splits (via a call to [strings.Split](https://pkg.go.dev/strings#Split)) an optionally-provided OID (which is untrusted data) on periods. Similarly, function [api.getContentType](https://github.com/sigstore/timestamp-authority/blob/26d7d426d3000abdbdf2df34de56bb92246c0365/pkg/api/timestamp.go#L114) splits the `Content-Type` header (which is also untrusted data) on an `application` string.\n\nAs a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed `Content-Type` header, a call to `api.ParseJSONRequest` or `api.getContentType` incurs allocations of O(n) bytes (where n stands for the length of the function's argument). Relevant weakness: [CWE-405: Asymmetric Resource Consumption (Amplification)](https://cwe.mitre.org/data/definitions/405.html)\n\n### Patches\n\nUpgrade to v2.0.3.\n\n### Workarounds\n\nThere are no workarounds with the service itself. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.","aliases":["CVE-2025-66564","GO-2025-4192"],"modified":"2026-02-04T03:30:37.024290Z","published":"2025-12-05T18:19:00Z","related":["CGA-m9c4-mx87-79fq"],"database_specific":{"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2025-12-05T18:19:00Z","cwe_ids":["CWE-405"],"nvd_published_at":"2025-12-04T23:15:47Z"},"references":[{"type":"WEB","url":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66564"},{"type":"WEB","url":"https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421"},{"type":"PACKAGE","url":"https://github.com/sigstore/timestamp-authority"}],"affected":[{"package":{"name":"github.com/sigstore/timestamp-authority","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/timestamp-authority"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-4qg8-fj49-pxjh/GHSA-4qg8-fj49-pxjh.json","last_known_affected_version_range":"\u003c= 2.0.2"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}