Homepage

Reachable Assertion Affecting cosign package, versions <3.0.4-r3

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.02% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-COSIGN-15169529
  • published2 Feb 2026
  • disclosed22 Jan 2026
Report a new vulnerability Found a mistake?

Introduced: 22 Jan 2026

NewCVE-2026-23991  (opens in a new tab)
CWE-617  (opens in a new tab)
CWE-754  (opens in a new tab)

How to fix?

Upgrade Minimos:latest cosign to version 3.0.4-r3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cosign package and not the cosign package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.