In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade @sigstore/core to version 3.2.1 or higher.
@sigstore/core is a Base library for Sigstore
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the preAuthEncoding function. An attacker can bypass type-binding guarantees by substituting characters in payloadType with Unicode variants that produce identical encoded bytes, allowing signature verification to succeed for altered types.