# CVE-2026-48816

## Summary

sigstore-js Insufficient Verification of Data Authenticity

## Description

Target repo: https://github.com/sigstore/sigstore-js. Vulnerable package: @sigstore/verify (npm). Affected version: 3.1.0; fixed in 3.1.1. The verifier derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 and uses it for certificate validity and timestampThreshold. In inclusionProof-only entries, integratedTime is not cryptographically bound, so an attacker supplying a malicious bundle can influence time-based verification. Reproduction: clone the sigstore-js repo at the vulnerable commit, install dependencies, and run the attached PoC harness (poc.zip) with make canonical and make control. The canonical run should hit the callsite and proof markers; the control run should show the negative-control marker. The advisory includes poc.zip, PR_DESCRIPTION.md, and SUBMISSION.md.

## Metadata

- Product: sigstore-js
- Severity: medium
- Status: open
