Update module github.com/sigstore/rekor to v1.5.2 [SECURITY] (release-v0.8)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/rekor	v1.5.0 → v1.5.2

---

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

CVE-2026-48702 / GHSA-47q9-m4ww-924m

More information

Details

Description

The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.

An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.

This is reachable via two unauthenticated endpoints:

• POST /api/v1/log/entries (createLogEntry)
• POST /api/v1/log/entries/retrieve (searchLogQuery)

Both invoke V001Entry.Canonicalize() → fetchExternalEntities() → apk.Unmarshal(packageData), which performs the unbounded decompression.

Workarounds

There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m
• https://github.com/advisories/GHSA-47q9-m4ww-924m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.2

Compare Source

Changelog

• 759b98e alpine: Enforce max size limit on decompression (#​2831)
• c7e77ee Support restricting kinds on insertion (#​2814)
• a10818a fix(trillianclient): strip dns:/// scheme from TLS ServerName in gRPC dial (#​2812)
• 8a2f3a2 add checks to ensure returned entries match client inputs to rekor-cli (#​2799)
• 0e88bac add nil pointer check to resolve fuzzing crash (#​2807)
• 93da954 client: surface last-response details after retries are exhausted (#​2796)
• 4d67ecd Fix internal error detail leakage in 500 responses (#​2801)
• b34ca94 add defensive check to ensure tid is in config ahead of getting client (#​2795)
• 656c832 restapi: include inactiveShards in the homepage total count (#​2797)

Thanks for all contributors!

v1.5.1

Compare Source

Features

• optimize memory for DSSE v0.0.1 processing (#​2766)

Bug Fixes

• Type assert the entry bundle when verifying inclusion proof (#​2755)
• return correct errors in rare failure situations (#​2753)
• raise error if decoding hash fails during inclusion proof (#​2754)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: finding module for package knative.dev/pkg/metrics
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 9:02 PM UTC · Completed 9:09 PM UTC
Commit: 47d3320 · View workflow run →

[fullsend-ai-review]

Looks good to me

---

Labels: Renovate bot dependency update for Go modules