1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2026-23991

go-tuf affected by client DoS via malformed server response

Moderate severity GitHub Reviewed Published Jan 20, 2026 in theupdateframework/go-tuf • Updated Jan 21, 2026

Package

gomod github.com/theupdateframework/go-tuf (Go)

Affected versions

<= 0.7.0

gomod github.com/theupdateframework/go-tuf/v2 (Go)

Security Disclosure: Client DoS via malformed server response****Summary

If the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.

Impact

Client crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.

Workarounds

None currently.

Affected code

The metadata.checkType function did not properly type assert the (untrusted) input causing it to panic on malformed data.

References

• GHSA-846p-jg2w-w324
• https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1

Published to the GitHub Advisory Database

Jan 21, 2026

Last updated

Jan 21, 2026