Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.
AnalysisAI
A security vulnerability in Fulcio (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Technical ContextAI
Vulnerability type not specified by vendor. CVSS 7.5 indicates high severity. Affects Fulcio.
RemediationAI
Apply the vendor-supplied patch immediately.
Same technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| questing | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
Bug #1122059| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | vulnerable | 1.6.5-1 | - |
| forky, sid | vulnerable | 1.7.1-1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-201293
GHSA-f83f-xpx7-ffpw