Headline
GHSA-273p-m2cw-6833: Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message
Summary
Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.
Impact
A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.
Patches
Upgrade to v1.5.0
Workarounds
None
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-23831
Rekor’s COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message
Moderate severity GitHub Reviewed Published Jan 22, 2026 in sigstore/rekor • Updated Jan 22, 2026
Package
gomod github.com/sigstore/rekor (Go)
Affected versions
<= 1.4.3
Summary
Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.
Impact
A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.
Patches
Upgrade to v1.5.0
Workarounds
None
References
- GHSA-273p-m2cw-6833
- sigstore/rekor@39bae3d
- https://github.com/sigstore/rekor/releases/tag/v1.5.0
Published to the GitHub Advisory Database
Jan 22, 2026
Last updated
Jan 22, 2026