Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9c54-x2g4-v92j | Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality |
References
History
Fri, 17 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770). | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0. |
| Title | timestamp-authority: Sigstore Timestamp Authority: Denial of Service via unbounded metric label cardinality | Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality |
| References |
|
Wed, 15 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770). | |
| Title | timestamp-authority: Sigstore Timestamp Authority: Denial of Service via unbounded metric label cardinality | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T19:45:44.026Z
Reserved: 2026-06-01T18:50:36.056Z
Link: CVE-2026-49835
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA