DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24137: Trust, But Verify (Your Paths): Inside the Sigstore Path Traversal

#security #cve #cybersecurity

Trust, But Verify (Your Paths): Inside the Sigstore Path Traversal

Vulnerability ID: CVE-2026-24137
CVSS Score: 5.8
Published: 2026-01-22

A deep dive into a path traversal vulnerability in Sigstore's legacy TUF client that allows malicious repositories to overwrite arbitrary files on a client's machine.

TL;DR

Sigstore's legacy TUF client failed to sanitize target names during disk caching. By crafting a malicious TUF repository with path traversal sequences in target filenames (e.g., ../../etc/passwd), an attacker can break out of the cache directory and overwrite arbitrary files on the victim's system. Fixed in v1.10.4 by URL-encoding target paths.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 5.8 (Medium)
  • Attack Vector: Network (Malicious Repo)
  • Impact: Arbitrary File Write / Integrity Loss
  • Exploit Status: PoC Available
  • Privileges Required: High (Repo Signing Key)

Affected Systems

  • sigstore/sigstore Go library <= 1.10.3
  • Cosign (versions dependent on vulnerable sigstore lib)
  • Custom tooling utilizing the legacy TUF client
  • github.com/sigstore/sigstore: <= 1.10.3 (Fixed in: 1.10.4)

Code Analysis

Commit: 8ec410a

fix: sanitize tuf cache paths with url encoding

func (d *diskCache) safePath(p string) string {
- return filepath.FromSlash(filepath.Join(d.base, p))
+ return filepath.FromSlash(filepath.Join(d.base, url.PathEscape(p)))
}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: No public automated exploit script is currently available, but the mechanism is documented in the advisory.

Mitigation Strategies

  • Input Sanitization: Ensure all file paths derived from external input are sanitized.
  • Path Validation: Verify that resolved paths reside within the expected directory using Clean and HasPrefix.
  • Privilege Reduction: Run clients with minimal filesystem permissions.

Remediation Steps:

  1. Upgrade the github.com/sigstore/sigstore Go module to version 1.10.4 or later.
  2. If upgrading is not possible, set the environment variable SIGSTORE_NO_CACHE=true in the runtime environment.
  3. Audit systems for unexpected file modifications if a private TUF repository was potentially compromised.

References

Read the full report for CVE-2026-24137 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)