{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T08:05:21.806","vulnerabilities":[{"cve":{"id":"CVE-2025-66564","sourceIdentifier":"security-advisories@github.com","published":"2025-12-04T23:15:47.430","lastModified":"2026-03-17T20:38:33.343","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-405"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:linuxfoundation:sigstore_timestamp_authority:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.3","matchCriteriaId":"7D8EA727-11A8-4D61-8E22-F87608DA7009"}]}]}],"references":[{"url":"https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}