Update module github.com/sigstore/rekor to v1.5.2 [SECURITY] (release-v0.7)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/rekor	v1.5.0 → v1.5.2

---

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

CVE-2026-48702 / GHSA-47q9-m4ww-924m

More information

Details

Description

The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.

An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.

This is reachable via two unauthenticated endpoints:

• POST /api/v1/log/entries (createLogEntry)
• POST /api/v1/log/entries/retrieve (searchLogQuery)

Both invoke V001Entry.Canonicalize() → fetchExternalEntities() → apk.Unmarshal(packageData), which performs the unbounded decompression.

Workarounds

There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m
• https://github.com/advisories/GHSA-47q9-m4ww-924m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.2

Compare Source

Changelog

• 759b98e alpine: Enforce max size limit on decompression (#​2831)
• c7e77ee Support restricting kinds on insertion (#​2814)
• a10818a fix(trillianclient): strip dns:/// scheme from TLS ServerName in gRPC dial (#​2812)
• 8a2f3a2 add checks to ensure returned entries match client inputs to rekor-cli (#​2799)
• 0e88bac add nil pointer check to resolve fuzzing crash (#​2807)
• 93da954 client: surface last-response details after retries are exhausted (#​2796)
• 4d67ecd Fix internal error detail leakage in 500 responses (#​2801)
• b34ca94 add defensive check to ensure tid is in config ahead of getting client (#​2795)
• 656c832 restapi: include inactiveShards in the homepage total count (#​2797)

Thanks for all contributors!

v1.5.1

Compare Source

Features

• optimize memory for DSSE v0.0.1 processing (#​2766)

Bug Fixes

• Type assert the entry bundle when verifying inclusion proof (#​2755)
• return correct errors in rare failure situations (#​2753)
• raise error if decoding hash fails during inclusion proof (#​2754)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: acceptance/go.sum

Command failed: go mod tidy
go: downloading github.com/onsi/gomega v1.38.2
go: downloading github.com/onsi/ginkgo/v2 v2.27.2
go: downloading k8s.io/apiserver v0.35.4
go: downloading k8s.io/component-base v0.35.4
go: downloading golang.org/x/tools v0.44.0
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading go.etcd.io/etcd/client/pkg/v3 v3.6.5
go: downloading go.etcd.io/etcd/client/v3 v3.6.5
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
go: downloading github.com/evanphx/json-patch v5.9.0+incompatible
go: downloading knative.dev/eventing v0.30.3
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2
go: downloading go.etcd.io/etcd/api/v3 v3.6.5
go: downloading cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084
go: downloading github.com/pelletier/go-toml/v2 v2.2.4
go: downloading github.com/emicklei/proto v1.14.2
go: downloading github.com/protocolbuffers/txtpbfmt v0.0.0-20251016062345-16587c79cd91
go: finding module for package knative.dev/pkg/metrics
go: downloading knative.dev/pkg v0.0.0-20260622140654-39ebae2ee2dc
go: finding module for package knative.dev/pkg/tracing/config
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/metrics: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/metrics
go: github.com/conforma/cli/acceptance/kubernetes/kind imports
	github.com/tektoncd/cli/pkg/formatted tested by
	github.com/tektoncd/cli/pkg/formatted.test imports
	github.com/tektoncd/cli/pkg/test imports
	github.com/tektoncd/triggers/test imports
	github.com/tektoncd/triggers/pkg/reconciler/eventlistener/resources imports
	knative.dev/eventing/pkg/reconciler/source imports
	knative.dev/pkg/tracing/config: module knative.dev/pkg@latest found (v0.0.0-20260622140654-39ebae2ee2dc), but does not contain package knative.dev/pkg/tracing/config

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 8:58 PM UTC · Completed 9:07 PM UTC
Commit: 47d3320 · View workflow run →

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	69.55% <ø> (ø)
integration	69.55% <ø> (ø)
unit	69.55% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fullsend-ai-review]

Looks good to me

---

Labels: Dependency version bump PR updating Go modules (go.mod/go.sum).