Description
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.
Published: 2026-07-17
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c54-x2g4-v92j Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
History

Fri, 17 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770). Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.
Title timestamp-authority: Sigstore Timestamp Authority: Denial of Service via unbounded metric label cardinality Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality
References

Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770).
Title timestamp-authority: Sigstore Timestamp Authority: Denial of Service via unbounded metric label cardinality
Weaknesses CWE-770
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-17T19:45:44.026Z

Reserved: 2026-06-01T18:50:36.056Z

Link: CVE-2026-49835

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T18:40:39Z

Links: CVE-2026-49835 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses