GHSA-47q9-m4ww-924mHighCVSS 7.5

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

Published
June 25, 2026
Last Modified
June 25, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.

An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.

This is reachable via two unauthenticated endpoints:

  • POST /api/v1/log/entries (createLogEntry)
  • POST /api/v1/log/entries/retrieve (searchLogQuery)

Both invoke V001Entry.Canonicalize()fetchExternalEntities()apk.Unmarshal(packageData), which performs the unbounded decompression.

Workarounds

There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.

🎯 Affected products1

  • go/github.com/sigstore/rekor:>= 0.3.0, < 1.5.2

🔗 References (2)