CVE-2025-66506

ADVISORY - github

Summary

Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details See identity.extractIssuerURL

Impact Excessive memory allocation

EPSS Score⁠: 0.00033 (0.092)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-405⁠

Asymmetric Resource Consumption (Amplification)

ADVISORY - github

CWE-405⁠

Asymmetric Resource Consumption (Amplification)

ADVISORY - redhat

CWE-405⁠

Asymmetric Resource Consumption (Amplification)

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.