Description
A flaw was found in Rekor. The `Package.Unmarshal()` function, which processes Alpine Package Keep (APK) files, decompresses gzip streams without limiting the total decompressed size. A remote attacker can exploit this by crafting a malicious APK file with a high compression ratio, causing the server to consume excessive memory. This leads to a Denial of Service (DoS) through an out-of-memory (OOM) error, and can be triggered via unauthenticated API endpoints.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-47q9-m4ww-924m | Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic |
References
History
Tue, 14 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in Rekor. The `Package.Unmarshal()` function, which processes Alpine Package Keep (APK) files, decompresses gzip streams without limiting the total decompressed size. A remote attacker can exploit this by crafting a malicious APK file with a high compression ratio, causing the server to consume excessive memory. This leads to a Denial of Service (DoS) through an out-of-memory (OOM) error, and can be triggered via unauthenticated API endpoints. | |
| Title | github.com/sigstore/rekor: Rekor: Denial of Service due to unbounded gzip decompression in Alpine APK parsing | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Subscriptions
No data.
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA