Directory Traversal Affecting sigstore-scaffolding package, versions <0.7.31-r5


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.21% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-SIGSTORESCAFFOLDING-15415513
  • published5 Mar 2026
  • disclosed27 Jan 2026

Introduced: 27 Jan 2026

CVE-2026-24686  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Wolfi sigstore-scaffolding to version 0.7.31-r5 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream sigstore-scaffolding package and not the sigstore-scaffolding package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (repoName) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a repoName containing traversal (e.g., ../escaped-repo) and cause go-tuf to create directories and write the root metadata file outside the intended LocalMetadataDir cache base, within the running process's filesystem permissions. Version 2.4.1 contains a patch.

CVSS Base Scores

version 3.1