CVE-2026-48816
ADVISORY - githubSummary
sigstore-js derives a transparency-log timestamp from tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind integratedTime. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing integratedTime.
impact
If a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: integratedTime is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.
affected code
packages/verify/src/bundle/index.ts(adds a transparency-log timestamp wheneverintegratedTime != 0)packages/verify/src/timestamp/index.ts(convertsintegratedTimeto aDate)packages/verify/src/verifier.ts(verifies timestamps before verifying tlog inclusion)packages/verify/src/tlog/index.ts+packages/verify/src/tlog/set.ts(only the inclusionPromise/set path bindsintegratedTime)
proof of concept
The attached poc.zip contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.
repro:
- extract
poc.zipinto a fresh directory and run the make targets:
unzip poc.zip -d poc
cd poc/poc-F-SIG-JS-TLOGTIME-001
make canonical
make control
- confirm
canonical.logincludes:
[CALLSITE_HIT]:
[PROOF_MARKER]:
- confirm
control.logincludes:
[NC_MARKER]:
suggested fix
Only treat integratedTime as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count integratedTime toward timestampThreshold, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).
Common Weakness Enumeration (CWE)
Insufficient Verification of Data Authenticity
GitHub
2.8
CVSS SCORE
6.5mediumminimos
MINI-395r-q29h-26fm
-
minimos
MINI-mgv9-6769-gvvv
-