CVE-2025-66506 Overview
CVE-2025-66506 is a denial of service vulnerability in Fulcio, the free-to-use certificate authority for issuing code signing certificates for OpenID Connect (OIDC) identities. The vulnerability exists in the identity.extractIssuerURL function which improperly handles malicious OIDC identity tokens containing excessive period characters. Prior to version 1.8.3, the function uses strings.Split on untrusted input, causing memory allocations proportional to the token length (O(n) bytes with a constant factor of approximately 16) when processing malformed tokens with many period delimiters.
Critical Impact
Attackers can cause resource exhaustion and denial of service on Fulcio certificate authority servers by sending maliciously crafted OIDC tokens with excessive period characters, potentially disrupting code signing operations across software supply chains.
Affected Products
- linuxfoundation fulcio (versions prior to 1.8.3)
Discovery Timeline
- 2025-12-04 - CVE CVE-2025-66506 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2025-66506
Vulnerability Analysis
The vulnerability stems from improper input validation in the extractIssuerURL function within the pkg/identity/issuerpool.go file. This function is responsible for parsing JWT tokens to extract the issuer URL from OIDC identity tokens. The function accepts untrusted token data and splits it using strings.Split on the period character delimiter.
In a properly formatted JWT, the token consists of exactly three parts separated by two periods (header.payload.signature). However, the vulnerable implementation first splits the entire token on all period characters before validating the part count. When an attacker submits a token containing thousands of period characters, the strings.Split function creates an array with an entry for each segment, causing memory allocation proportional to the input size.
This creates an algorithmic complexity attack vector where an attacker can force the server to allocate excessive memory by crafting tokens with many period characters. The memory overhead is approximately 16 bytes per period character in the input, making it possible to exhaust server resources with relatively small malicious payloads.
Root Cause
The root cause is the use of strings.Split on untrusted input without first validating the structure of the JWT token. The function allocated memory for all segments before checking if the token has the expected three parts. This is classified as CWE-405 (Asymmetric Resource Consumption / Amplification), where a small attacker-controlled input triggers disproportionate resource consumption on the server.
Attack Vector
An attacker can exploit this vulnerability by sending HTTP requests to the Fulcio certificate authority containing maliciously crafted OIDC identity tokens in the request payload. The tokens would contain thousands of period characters, causing the server to allocate excessive memory when parsing each request. By sending multiple such requests, an attacker could exhaust server memory and cause denial of service, disrupting certificate signing operations for legitimate users.
// Vulnerable code (before patch) - pkg/identity/issuerpool.go
func extractIssuerURL(token string) (string, error) {
parts := strings.Split(token, ".")
if len(parts) != 3 {
return "", fmt.Errorf("oidc: malformed jwt, expected 3 parts got %d", len(parts))
}
raw, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return "", fmt.Errorf("oidc: malformed jwt payload: %w", err)
}
// ...
}
// Fixed code (after patch) - validates structure before splitting
func extractIssuerURL(token string) (string, error) {
if strings.Count(token, ".") != 2 {
return "", fmt.Errorf("oidc: malformed jwt, token must have 3 parts")
}
parts := strings.SplitN(token, ".", 3)
raw, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return "", fmt.Errorf("oidc: malformed jwt payload: %w", err)
}
// ...
}
Source: GitHub Commit Update
Detection Methods for CVE-2025-66506
Indicators of Compromise
- Unusual memory consumption spikes on Fulcio server instances
- HTTP requests with abnormally large Authorization headers or token payloads
- Request payloads containing strings with excessive period characters
- Server out-of-memory errors or crashes during certificate signing operations
Detection Strategies
- Monitor Fulcio server memory utilization for sudden spikes that may indicate resource exhaustion attacks
- Implement request size limits and input validation at the load balancer or reverse proxy level
- Analyze access logs for requests with unusually large payloads or high-frequency requests from single sources
- Deploy application performance monitoring to detect abnormal resource consumption patterns
Monitoring Recommendations
- Set up alerting for Fulcio service memory usage exceeding normal operational thresholds
- Monitor for increased request latency that may indicate server resource strain
- Track failed certificate signing requests that could signal service degradation
- Implement rate limiting on certificate signing endpoints to mitigate DoS attempts
How to Mitigate CVE-2025-66506
Immediate Actions Required
- Upgrade Fulcio to version 1.8.3 or later immediately
- Review server logs for any suspicious activity or potential exploitation attempts
- Implement request payload size limits at the network edge
- Consider deploying rate limiting on OIDC token validation endpoints
Patch Information
The vulnerability is fixed in Fulcio version 1.8.3. The patch modifies the extractIssuerURL function to first validate the token structure using strings.Count to ensure exactly two period characters exist before splitting the token. Additionally, the fix uses strings.SplitN with a limit of 3 parts instead of strings.Split, preventing excessive memory allocation regardless of input content. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory GHSA-f83f-xpx7-ffpw.
Workarounds
- Deploy a reverse proxy or WAF rule to reject requests with tokens containing more than two period characters
- Implement request body size limits to prevent large malicious payloads from reaching the application
- Use network-level rate limiting to reduce the impact of potential DoS attempts
- Monitor and restrict access to certificate signing endpoints to trusted clients only
# Example nginx configuration to limit request body size
# Add to server or location block for Fulcio endpoints
client_max_body_size 64k;
client_body_buffer_size 64k;
# Rate limiting configuration
limit_req_zone $binary_remote_addr zone=fulcio_limit:10m rate=10r/s;
location /api/v2/signingCert {
limit_req zone=fulcio_limit burst=20 nodelay;
proxy_pass http://fulcio_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
