CVE Vulnerabilities

CVE-2026-48758

Improper Verification of Cryptographic Signature

Published: Jul 14, 2026 | Modified: Jul 15, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.4 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Ubuntu
root.io logo minimus.io logo echo.ai logo

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature and breaking the type-binding guarantee that DSSE is designed to provide. This issue is fixed in version 3.2.1.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References