Back to overview

CVE-2026-48758

MEDIUM Exploitation: PoC
5.4
CVSS 3.1
Description
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.

Metadata

CVE ID
CVE-2026-48758
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-22 19:39 UTC
Published
2026-07-14 20:36 UTC
Last updated
2026-07-15 12:54 UTC
Primary CWE
CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product
sigstore / sigstore-js
Sources
cve.org  ·  NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
sigstore sigstore-js < 3.2.1
Weakness (CWE)
CWESourceDescription
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
References (4)
Back to overview