CVE-2026-48816 in sigstore-jsinfo

Summary

by MITRE • 07/15/2026

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in sigstore-js affects the @sigstore/verify package versions prior to 3.1.1, specifically targeting the bundle v0.2 validation process that handles inclusionProof-only entries. This flaw represents a critical security weakness in the transparency log verification mechanism that underpins Sigstore's certificate validation system. The issue stems from how the library processes tlogEntries[].integratedTime values when deriving timestamps for bundle validation, creating an attack surface where malicious actors can manipulate certificate validity decisions.

The technical flaw occurs because the verify package incorrectly trusts the integratedTime field from transparency log entries without proper cryptographic binding verification. In inclusionProof-only entries, the integratedTime value exists independently of the actual inclusion proof path that cryptographically binds it to the signed content. This creates a scenario where an attacker who can supply an untrusted bundle can manipulate timestamp values that influence critical validation decisions. The vulnerability directly impacts the timestampThreshold verification mechanism, allowing attackers to potentially bypass time-based security constraints.

From an operational perspective, this vulnerability undermines the fundamental trust model of Sigstore's certificate verification process. Attackers could craft malicious bundles with manipulated integratedTime values that appear valid to the verification library, leading to false certificate validity decisions. The impact extends beyond simple validation failures to potentially enable attacks against supply chain integrity, as timestamps play a crucial role in establishing temporal relationships between signed artifacts and their inclusion in transparency logs. This weakness particularly affects systems relying on strict timestamp validation for security policies.

The fix implemented in version 3.1.1 addresses this by ensuring that integratedTime values are properly cryptographically bound to the inclusion proof path before being used in certificate validity calculations. This aligns with established security practices outlined in CWE-200, which emphasizes the importance of proper data binding and validation in cryptographic systems. The mitigation strategy follows ATT&CK technique T1553.006 for bypassing signature validation mechanisms, as it prevents attackers from manipulating timestamp-based security controls through unauthenticated data sources.

This vulnerability demonstrates the critical importance of proper cryptographic binding in transparency log systems and highlights how seemingly minor implementation flaws can have significant security implications. The fix reinforces the principle that timestamp values derived from external sources must be cryptographically verified before being trusted for security decisions, particularly in supply chain security systems where temporal integrity is paramount. Organizations using sigstore-js should immediately upgrade to version 3.1.1 or later to prevent potential exploitation of this vulnerability, which could compromise the integrity of their software supply chain verification processes.

Responsible

GitHub M

Reservation

05/22/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!