{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/software-security/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/sigstore"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","software-security","javascript","npm","code-signing"],"_cs_type":"advisory","_cs_vendors":["Sigstore"],"content_html":"\u003cp\u003eA significant security vulnerability, identified as CVE-2026-48815, affects the \u003ccode\u003enpm/sigstore\u003c/code\u003e JavaScript library in versions up to and including 4.1.0. This flaw stems from a critical oversight in the library's certificate verification logic: while the public \u003ccode\u003esigstore.verify()\u003c/code\u003e API accepts the \u003ccode\u003ecertificateOIDs\u003c/code\u003e option, which is intended to enforce specific object identifiers (OIDs) within a certificate's extensions, this constraint is silently dropped during policy construction. Consequently, applications that rely on \u003ccode\u003ecertificateOIDs\u003c/code\u003e to restrict accepted certificates for artifact signing are left without this crucial protection. An attacker could exploit this by presenting a certificate lacking the expected OIDs, yet still satisfying other verification checks, thereby bypassing a key policy enforcement mechanism and potentially enabling the trust of unauthorized or malicious software artifacts in a supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious artifact\u003c/strong\u003e: An attacker creates a malicious software package or artifact intended for distribution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker obtains unauthorized signing certificate\u003c/strong\u003e: The attacker acquires a certificate that meets general validity criteria (e.g., correct issuer, valid dates) but \u003cem\u003elacks\u003c/em\u003e specific critical OID extensions that the target application's \u003ccode\u003esigstore\u003c/code\u003e configuration \u003cem\u003eintends\u003c/em\u003e to enforce via \u003ccode\u003ecertificateOIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker signs malicious artifact\u003c/strong\u003e: The attacker signs the malicious artifact using their unauthorized certificate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget system attempts to verify artifact\u003c/strong\u003e: A target system, using a vulnerable \u003ccode\u003enpm/sigstore\u003c/code\u003e library (\u0026lt;= 4.1.0) and configured with \u003ccode\u003ecertificateOIDs\u003c/code\u003e to enforce specific OID policies, attempts to verify the signed artifact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003esigstore\u003c/code\u003e silently drops OID constraints\u003c/strong\u003e: Due to the vulnerability, the \u003ccode\u003enpm/sigstore\u003c/code\u003e library's \u003ccode\u003ecreateVerificationPolicy()\u003c/code\u003e function silently ignores the \u003ccode\u003ecertificateOIDs\u003c/code\u003e parameter when constructing the verification policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArtifact falsely deemed legitimate\u003c/strong\u003e: The signed malicious artifact passes \u003ccode\u003esigstore\u003c/code\u003e verification because the critical OID extension check, which should have rejected the unauthorized certificate, was never applied.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious artifact executed/deployed\u003c/strong\u003e: The target system proceeds to trust and potentially execute or deploy the malicious artifact, believing it to be legitimately signed and compliant with its security policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications integrating the \u003ccode\u003enpm/sigstore\u003c/code\u003e library that depend on the \u003ccode\u003ecertificateOIDs\u003c/code\u003e feature for robust certificate policy enforcement are rendered vulnerable to supply chain attacks. This vulnerability means that unauthorized or non-compliant certificates, which should be explicitly rejected based on missing or incorrect OID extensions, will instead be accepted by the verification process. The direct consequence is that organizations relying on this library for software supply chain integrity could inadvertently trust and deploy malicious artifacts. This could lead to a wide range of impacts, including system compromise, data exfiltration, or the introduction of backdoors, undermining the entire purpose of artifact signing and verification. The exact number of affected organizations is difficult to ascertain, but any user of \u003ccode\u003enpm/sigstore\u003c/code\u003e up to version 4.1.0 configured with \u003ccode\u003ecertificateOIDs\u003c/code\u003e is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48815 immediately\u003c/strong\u003e: Upgrade \u003ccode\u003enpm/sigstore\u003c/code\u003e to a patched version (4.1.1 or later) to address CVE-2026-48815, ensuring \u003ccode\u003ecertificateOIDs\u003c/code\u003e are correctly enforced during verification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003esigstore\u003c/code\u003e configurations\u003c/strong\u003e: Audit all \u003ccode\u003esigstore.verify()\u003c/code\u003e and \u003ccode\u003ecreateVerifier()\u003c/code\u003e calls in your codebase to confirm that certificate validation logic correctly identifies and rejects certificates that do not meet expected OID constraints, even after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:37:11Z","date_published":"2026-07-03T12:37:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-oid-bypass/","summary":"A high-severity vulnerability (CVE-2026-48815) in the `npm/sigstore` library (versions \u003c= 4.1.0) causes the `certificateOIDs` verification constraint to be silently ignored, allowing applications to accept unauthorized certificates that should have been rejected based on extension policy, which could lead to supply chain attacks by trusting malicious artifacts.","title":"Sigstore `certificateOIDs` Verification Bypass Vulnerability (CVE-2026-48815)","url":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-oid-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Software-Security","version":"https://jsonfeed.org/version/1.1"}