GHSA-fcv2-xgw5-pqxf · Severity: medium · Ecosystem: go — sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.
Conclusion & alert: CVE-2026-24137 is rated Low Risk (23.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.01%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-23 | — | 0.01% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.8 | 3.1 | MEDIUM |
|
1.3 | 4.0 | [email protected] |
GHSA-fcv2-xgw5-pqxf · Severity: medium · Ecosystem: go — sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-24137 not yet assigned priority: Debian including 1 source packages (golang-github-sigstore-sigstore), 3 status rows across 3 suites (forky, sid, trixie): resolved 2, open 1. | https://security-tracker.debian.org/tracker/CVE-2026-24137 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-24137 |
suse
|
medium | CVE-2026-24137 severity moderate: SUSE including 14 source package names (cosign-3.0.5-1.1, cosign-3.0.5-150400.3.35.1, …), 49 product×package rows across 38 product lines (Image SL-Micro, Image SL-Micro-Azure, … (38 product lines)): Fixed 48, First Fixed 1. | https://www.suse.com/security/cve/CVE-2026-24137/ |
ubuntu
|
medium | CVE-2026-24137 medium priority: Ubuntu including 1 source packages (golang-github-sigstore-sigstore), 4 status rows across 4 suites (jammy, noble, questing, upstream): needs-triage 3, DNE 1. | https://ubuntu.com/security/CVE-2026-24137 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||