Sigstore-python, CSRF in OIDC Authentication, CVE-2024-XXXXX (Low)

Listen to this Post

The vulnerability exists within the OIDC authentication flow of the `sigstore-python` client. During the signing process, when a user is redirected to an OAuth provider (like GitHub or Google), the client’s `_OAuthSession` correctly generates a unique cryptographically random “state” parameter. This state is sent to the OAuth server to prevent Cross-Site Request Forgery (CSRF). However, the client fails to validate that the “state” value returned by the OAuth server in the callback response matches the original state it sent. An attacker can craft a malicious link that initiates an OAuth flow. If a user clicks this link and completes authentication, the attacker can intercept the final callback. By forwarding this callback (containing the attacker’s authenticated identity but the victim’s session) back to the victim’s client application, the victim’s `sigstore-python` session will accept it without verifying the state. This causes the victim to sign an artifact, but the signature will incorrectly attest the attacker’s identity, leading to confusion and potential misuse of the signing event.
Platform: sigstore-python
Version: <1.0
Vulnerability: OIDC CSRF
Severity: Low
date: 2026-01-26

Prediction: Patch by 2026-02-02

What Undercode Say:

Analytics:

Simulating the vulnerable state check
if received_state != original_state: This check is MISSING
raise CSRFError
Attacker's crafted initiation URL
curl "http://localhost:8080/auth?state=attacker_chosen_value"
Intercepting callback with simple netcat
nc -l 8080 | grep "code&state"

How Exploit:

1. Attacker crafts malicious OIDC initiation URL.

2. Victim clicks, authenticates with provider.

3. Attacker intercepts OAuth callback response.

4. Attacker forwards response to victim’s client.

5. Victim’s client processes callback without state validation.

6. Signature generated with attacker’s identity.

Protection from this CVE:

Implement state parameter validation.

Use PKCE alongside OAuth state.

Update to patched version.

Impact:

Incorrect identity attribution.

Confusion in audit logs.

No direct code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top