Allocation of Resources Without Limits or Throttling Affecting connaisseur package, versions <3.10.0-r2


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.65% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-CONNAISSEUR-17804284
  • published3 Jul 2026
  • disclosed17 Jul 2026

Introduced: 3 Jul 2026

NewCVE-2026-49835  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Minimos:latest connaisseur to version 3.10.0-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream connaisseur package and not the connaisseur package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.