CVE-2026-49835 in timestamp-authorityinfo

Summary

by MITRE • 07/17/2026

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The Sigstore Timestamp Authority represents a critical component in software supply chain security, providing RFC 3161 compliant timestamp services that are essential for establishing cryptographic proof of when artifacts were created or modified. This service operates as a centralized authority that issues time-stamps to validate the integrity and chronological order of digital signatures, making it a vital element in maintaining trust within software distribution pipelines. The vulnerability under examination affects versions prior to 2.1.0 where the system's monitoring infrastructure contains a fundamental design flaw that exposes the service to memory exhaustion attacks through improper metric collection practices.

The technical flaw manifests in the global wrapMetrics middleware implementation which indiscriminately records raw HTTP request paths and methods as Prometheus labels for latency and request count metrics before any routing decisions are made. This middleware component, designed to provide observability into service performance, fails to sanitize or limit the input values it collects, creating a path for malicious actors to generate unlimited metric time-series entries. When an unauthenticated remote attacker submits requests with arbitrary paths such as /api/v1/timestamp/ or random HTTP methods, the system automatically creates new Prometheus label combinations that persist indefinitely in memory. This design oversight directly violates security principles related to input validation and resource consumption limits, creating a vector for resource exhaustion attacks that can ultimately lead to service degradation or complete denial of service.

The operational impact of this vulnerability extends beyond simple resource exhaustion, as it fundamentally undermines the reliability and availability of the Timestamp Authority service. Attackers can leverage this flaw to consume system memory resources at an unbounded rate through legitimate API interactions, potentially causing cascading failures throughout the software supply chain infrastructure that depends on these time-stamps for trust validation. The permanent nature of these metric entries means that once consumed, system resources cannot be reclaimed through normal garbage collection processes, leading to progressive degradation of service performance. This vulnerability particularly affects environments where the Timestamp Authority serves as a critical dependency for code signing and artifact verification processes, making it a high-value target for adversaries seeking to disrupt software delivery pipelines.

The fix implemented in version 2.1.0 addresses this vulnerability through proper input sanitization and metric label limiting mechanisms that prevent the creation of unbounded time-series entries. This remediation aligns with industry best practices for secure observability and follows principles outlined in CWE-1349 which addresses improper use of system resources in monitoring systems. The solution typically involves implementing rate limiting, input validation, or label cardinality controls within the metric collection layer to prevent malicious actors from exhausting system resources through crafted requests. Organizations should also consider implementing additional security controls such as request rate limiting at the network level and monitoring for unusual metric label patterns that could indicate exploitation attempts. This vulnerability demonstrates the importance of securing monitoring infrastructure as part of overall application security, as observability systems can themselves become attack vectors if not properly designed with security in mind. The remediation process requires careful consideration of existing metrics and their impact on system performance while ensuring that legitimate monitoring capabilities remain intact.

Responsible

GitHub M

Reservation

06/01/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!