chore(deps): update module github.com/sigstore/fulcio to v1.8.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/fulcio	v1.7.1 -> v1.8.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-66506

Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details
See identity.extractIssuerURL

Impact
Excessive memory allocation

---

Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

CVE-2025-66506 / GHSA-f83f-xpx7-ffpw / GO-2025-4193

More information

Details

Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

Severity

Unknown

References

• https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
• https://nvd.nist.gov/vuln/detail/CVE-2025-66506
• https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Fulcio allocates excessive memory during token parsing

CVE-2025-66506 / GHSA-f83f-xpx7-ffpw / GO-2025-4193

More information

Details

Function identity.extractIssuerURL currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details
See identity.extractIssuerURL

Impact
Excessive memory allocation

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw
• https://nvd.nist.gov/vuln/detail/CVE-2025-66506
• https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a
• https://github.com/sigstore/fulcio

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sigstore/fulcio (github.com/sigstore/fulcio)

v1.8.3

Compare Source

Vulnerability Fixes

• GHSA-f83f-xpx7-ffpw; prevents OOM condition due to malformed OIDC token (#​2233)

Features

• feat: Add support for skipping email_verified claim requirement per issuer (#​2220)
• add meta-issuer circleci block (#​2215)
• add circleci info to fulcio (#​2192)

Testing

• Add basic E2E tests (#​2230)

v1.8.2

Compare Source

Testing

• make email address in test cases rfc822 conformant (#​2205)

v1.8.1

Compare Source

Same as v1.8.0, but with a fix for the CI build pipeline.

v1.8.0

Compare Source

Bug Fixes

• fix: K8s API does not accept unauthorized requests (#​2111)
• fix: vault for enterprise expects only the key name (#​2117)
• fix(config): respect cacert on oidc-issuers (#​2098)
• Register /healthz endpoint when listening on duplex http/grpc port (#​2046)

Features

• feat: adds cert loading and key-match validation. (#​2173)
• expose gcp kms retry and timeout options (#​2132)
• server: Use warning log level for client errors (#​2147)
• Add workflow to periodically validate OIDC issuers (#​2188)
• Add Chainguard issuer (#​2078)
• Add logging for template error (#​2194)
• Add extension for deployment environment (#​2190)

Removal

• Remove cmd/create_tink_keyset (#​2096)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 52 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
cloud.google.com/go/auth	v0.16.2 -> v0.17.0
cloud.google.com/go/compute/metadata	v0.7.0 -> v0.9.0
cloud.google.com/go/kms	v1.22.0 -> v1.23.2
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.18.0 -> v1.20.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.10.1 -> v1.13.1
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.11.1 -> v1.11.2
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys	v1.3.1 -> v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal	v1.1.1 -> v1.2.0
github.com/AzureAD/microsoft-authentication-library-for-go	v1.4.2 -> v1.6.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.29.0 -> v1.30.0
github.com/aws/aws-sdk-go-v2/config	v1.31.19 -> v1.31.20
github.com/aws/aws-sdk-go-v2/credentials	v1.18.23 -> v1.18.24
github.com/aws/aws-sdk-go-v2/service/kms	v1.41.0 -> v1.48.2
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.2 -> v1.30.3
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.6 -> v1.35.7
github.com/aws/aws-sdk-go-v2/service/sts	v1.40.1 -> v1.40.2
github.com/cncf/xds/go	v0.0.0-20250501225837-2ac532fd4443 -> v0.0.0-20251022180443-0feb69152e9f
github.com/coreos/go-oidc/v3	v3.14.1 -> v3.17.0
github.com/envoyproxy/go-control-plane/envoy	v1.32.4 -> v1.35.0
github.com/go-jose/go-jose/v4	v4.1.2 -> v4.1.3
github.com/golang-jwt/jwt/v5	v5.2.2 -> v5.3.0
github.com/googleapis/enterprise-certificate-proxy	v0.3.6 -> v0.3.7
github.com/googleapis/gax-go/v2	v2.14.2 -> v2.15.0
github.com/jellydator/ttlcache/v3	v3.3.0 -> v3.4.0
github.com/prometheus/client_golang	v1.22.0 -> v1.23.2
github.com/prometheus/common	v0.64.0 -> v0.67.4
github.com/secure-systems-lab/go-securesystemslib	v0.9.0 -> v0.9.1
github.com/sigstore/protobuf-specs	v0.4.3 -> v0.5.0
github.com/sigstore/sigstore	v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/aws	v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/azure	v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/gcp	v1.9.5 -> v1.10.0
github.com/sigstore/sigstore/pkg/signature/kms/hashivault	v1.9.5 -> v1.10.0
github.com/spf13/cobra	v1.9.1 -> v1.10.2
github.com/spf13/pflag	v1.0.7 -> v1.0.10
github.com/spiffe/go-spiffe/v2	v2.5.0 -> v2.6.0
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/contrib/detectors/gcp	v1.36.0 -> v1.38.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.61.0 -> v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.61.0 -> v0.63.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/crypto	v0.44.0 -> v0.45.0
golang.org/x/oauth2	v0.30.0 -> v0.33.0
golang.org/x/time	v0.12.0 -> v0.14.0
google.golang.org/api	v0.242.0 -> v0.256.0
google.golang.org/genproto	v0.0.0-20250505200425-f936aa4a68b2 -> v0.0.0-20250603155806-513f23925822
k8s.io/utils	v0.0.0-20250321185631-1f6e0b77f77e -> v0.0.0-20250820121507-0af2bda4dd1d
sigs.k8s.io/release-utils	v0.11.1 -> v0.12.2
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251022142026-3a174f9686a8
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251103181224-f26f9409b101
google.golang.org/grpc	v1.76.0 -> v1.77.0