SecBoard
Zurück zur CVE-Übersicht

CVE-2026-48758

MEDIUM(5.4)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Risk Signal Score24/100 — NIEDRIG
  • CVSS 5.4 — Mittel
  • Weniger als 24 Stunden alt

Beschreibung

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.

GitHub Advisories

GHSA-jfc7-64v2-mr8cMEDIUM

@sigstore/core has DSSE payloadType type-binding failure

npm/@sigstore/core3.2.1
GitHub Advisory

Referenzen