Insufficient Verification of Data Authenticity Affecting @sigstore/verify package, versions >=3.1.0 <3.1.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.16% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-SIGSTOREVERIFY-17817056
  • published4 Jul 2026
  • disclosed1 Jul 2026
  • creditUnknown

Introduced: 1 Jul 2026

NewCVE-2026-48816  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade @sigstore/verify to version 3.1.1 or higher.

Overview

@sigstore/verify is a Verification of Sigstore signatures

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the integratedTime process. An attacker can manipulate time-based verification decisions by supplying a crafted bundle that sets an unauthenticated value for integratedTime, thereby influencing certificate validity checks and bypassing intended trust boundaries.

CVSS Base Scores

version 4.0
version 3.1