chore(deps): update module github.com/sigstore/rekor to v1.5.2 [security] (release-2.4)

[crossplane-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/rekor	v1.5.1 → v1.5.2

---

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

CVE-2026-48702 / GHSA-47q9-m4ww-924m

More information

Details

Description

The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.

An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.

This is reachable via two unauthenticated endpoints:

• POST /api/v1/log/entries (createLogEntry)
• POST /api/v1/log/entries/retrieve (searchLogQuery)

Both invoke V001Entry.Canonicalize() → fetchExternalEntities() → apk.Unmarshal(packageData), which performs the unbounded decompression.

Workarounds

There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m
• https://github.com/sigstore/rekor

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.2

Compare Source

Changelog

• 759b98e alpine: Enforce max size limit on decompression (#​2831)
• c7e77ee Support restricting kinds on insertion (#​2814)
• a10818a fix(trillianclient): strip dns:/// scheme from TLS ServerName in gRPC dial (#​2812)
• 8a2f3a2 add checks to ensure returned entries match client inputs to rekor-cli (#​2799)
• 0e88bac add nil pointer check to resolve fuzzing crash (#​2807)
• 93da954 client: surface last-response details after retries are exhausted (#​2796)
• 4d67ecd Fix internal error detail leakage in 500 responses (#​2801)
• b34ca94 add defensive check to ensure tid is in config ahead of getting client (#​2795)
• 656c832 restapi: include inactiveShards in the homepage total count (#​2797)

Thanks for all contributors!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[crossplane-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 31 additional dependencies were updated

Details:

Package	Change
github.com/aws/aws-sdk-go-v2	v1.41.4 -> v1.41.6
github.com/aws/aws-sdk-go-v2/config	v1.32.12 -> v1.32.14
github.com/aws/aws-sdk-go-v2/credentials	v1.19.12 -> v1.19.14
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.20 -> v1.18.21
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.20 -> v1.4.22
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.20 -> v2.7.22
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.20 -> v1.13.21
github.com/aws/aws-sdk-go-v2/service/signin	v1.0.8 -> v1.0.9
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.13 -> v1.30.15
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.17 -> v1.35.19
github.com/aws/aws-sdk-go-v2/service/sts	v1.41.9 -> v1.41.10
github.com/aws/smithy-go	v1.24.2 -> v1.25.0
github.com/go-openapi/analysis	v0.24.3 -> v0.25.0
github.com/go-openapi/runtime	v0.29.3 -> v0.29.4
github.com/go-openapi/strfmt	v0.26.1 -> v0.26.2
github.com/go-openapi/swag	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/cmdutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/conv	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/fileutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonname	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/jsonutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/loading	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/mangling	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/netutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/stringutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/typeutils	v0.25.5 -> v0.26.0
github.com/go-openapi/swag/yamlutils	v0.25.5 -> v0.26.0
github.com/secure-systems-lab/go-securesystemslib	v0.10.0 -> v0.11.0
github.com/sigstore/protobuf-specs	v0.5.0 -> v0.5.1
github.com/sigstore/sigstore	v1.10.5 -> v1.10.6
k8s.io/klog/v2	v2.130.1 -> v2.140.0