CVE-2026-48758 PUBLISHED

sigstore-js: DSSE payloadType type-binding failure

Assigner: GitHub_M
Reserved: 22.05.2026 Published: 14.07.2026 Updated: 15.07.2026

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 5.4

Product Status

Vendor sigstore
Product sigstore-js
Versions
  • Version < 3.2.1 is affected

References

Problem Types

  • CWE-347: Improper Verification of Cryptographic Signature CWE