CVE-2026-48815 in sigstore-js
Summary
by MITRE • 07/15/2026
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
The sigstore-js library represents a critical security vulnerability that affects the integrity verification process of software artifacts within JavaScript environments. This flaw exists in versions prior to 4.1.1 where the certificateOIDs parameter, which should enforce strict certificate extension validation, is effectively ignored during the verification workflow. The vulnerability stems from a design oversight where the API accepts the certificateOIDs option through its public interface but fails to implement the intended validation logic, creating a false sense of security for applications that depend on this mechanism.
The technical flaw manifests as a bypass of certificate extension validation controls that are fundamental to ensuring only authorized certificates can sign software artifacts. When applications call sigstore.verify() with a certificateOIDs parameter, they expect specific certificate extensions to be validated against the provided OIDs, but due to the implementation error, these checks never occur. This represents a classic case of input validation failure where legitimate API parameters are accepted but subsequently discarded without proper processing. The vulnerability directly impacts the certificate chain verification process and undermines the trust model that sigstore services are designed to maintain.
The operational impact of this vulnerability is significant for organizations relying on sigstore-js for software supply chain security. Applications that depend on certificateOIDs to restrict which certificates can sign artifacts may unknowingly accept unauthorized certificates, potentially allowing malicious actors to bypass security controls. This creates a pathway for supply chain attacks where compromised or unauthorized certificates could be accepted as legitimate signatures. The vulnerability essentially renders the certificateOIDs configuration option ineffective, undermining the intended access control mechanisms and potentially exposing systems to unauthorized artifact signing operations.
Security practitioners should note this issue aligns with CWE-295 which addresses improper certificate validation and relates to ATT&CK technique T1553.004 for credential dumping and certificate manipulation. The vulnerability represents a failure in the principle of least privilege where certificate validation controls are bypassed, allowing for broader acceptance of signing certificates than intended. Organizations using sigstore-js should immediately upgrade to version 4.1.1 or later to remediate this flaw, as the fix ensures that certificateOIDs parameters are properly processed and enforced during verification operations.
The mitigation strategy involves immediate deployment of the patched version 4.1.1 which correctly implements certificate extension validation. Security teams should conduct inventory assessments to identify all systems using affected versions of sigstore-js and ensure proper patching across the enterprise. Additionally, organizations should review their certificate validation policies and consider implementing additional monitoring for unauthorized certificate acceptance patterns. The fix demonstrates proper input handling where API parameters are not only accepted but also rigorously validated according to their intended security purposes, reinforcing the importance of comprehensive testing for security-critical functions in software libraries.