high · 7.5CVE-2026-48815Jul 1, 2026

CVE-2026-48815: sigstore certificateOIDs Verification Constraint Silently Dropped

Shubham Kandhare
Security Engagement Manager, SecureLayer7

The sigstore npm package accepts a certificateOIDs option to restrict which signing certificates are trusted, but silently discards those constraints before verification, so any certificate that passe

Packagesigstore
Ecosystemnpm
Affected<= 4.1.0
Fixed in4.1.1

The problem

In sigstore <= 4.1.0, the internal `createVerificationPolicy` function builds the policy object passed to the verifier. It copies the SAN and issuer fields into the policy, but never includes `certificateOIDs`.

The result is that callers who set required OID/value pairs on `sigstore.verify()` or `createVerifier()` receive no enforcement at all. A certificate missing the required extensions passes verification silently.

Proof of concept

A working proof-of-concept for CVE-2026-48815 in sigstore, with the exact payload below.

javascript
// Demonstrates that certificateOIDs is dropped from the constructed policy.
// Run with: node poc.js
const { createVerificationPolicy } = require('sigstore/dist/config');

const policy = createVerificationPolicy({
  certificateIssuer: 'https://issuer.example',
  certificateIdentityEmail: 'victim@example.com',
  certificateOIDs: {
    '1.2.3.4': 'required-value',
  },
});

// Prints: false {"subjectAlternativeName":"victim@example.com","extensions":{"issuer":"https://issuer.example"}}
// certificateOIDs is absent from the policy; the verifier never sees it.
console.log('certificateOIDs' in policy, JSON.stringify(policy));

The root cause is in `createVerificationPolicy` in `sigstore/src/config.ts`. The function constructs the policy by copying only `subjectAlternativeName` and `extensions.issuer` from the caller-supplied options. The `certificateOIDs` map is accepted by the public API type signature but never read or forwarded.

The patch in 4.1.1 adds the missing mapping: it iterates over `certificateOIDs` and merges each OID/value pair into the `extensions` object that is returned as part of the policy, so the underlying `@sigstore/verify` engine finally receives and enforces those constraints.

CWE-347 (Improper Verification of Cryptographic Signature) applies because the library silently omits a caller-specified constraint, causing the effective verification policy to be weaker than intended.

The fix

Upgrade the `sigstore` npm package to version 4.1.1 or later. No configuration change is needed; the fix is internal. If upgrading immediately is not possible, remove reliance on `certificateOIDs` as a security control and enforce OID constraints at a layer outside of sigstore until you can patch.

Reporter not attributed.

References: [1][2]

Related research