github.com/theupdateframework/go-tuf
Moderate fix1 remedy
cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*
Moderate fix1 remedy
- < 2.3.1
go-tuf Denial-of-Service Vulnerability via Malformed TUF Metadata
Vulnerability
Patched
A denial-of-service vulnerability has been identified in go-tuf, a Go implementation of The Update Framework (TUF). This issue affects versions 2.0.0 prior to 2.3.1. The vulnerability arises when a TUF repository or its mirrors return invalid TUF metadata JSON. While the JSON may be valid, it does not conform to the expected TUF metadata structure. When the client attempts to parse this malformed data, it panics, leading to a crash. Notably, this panic occurs before any signature validation, allowing a compromised repository, mirror, or cache to disrupt client operations without needing access to signing keys.
Impact
Exploiting this vulnerability causes the client to crash while parsing TUF metadata, potentially leading to a restart or crash loop in long-running services.
Remediation
Users can upgrade to version 2.3.1 or later to address this vulnerability.
Added: Jan 22, 2026, 3:30 AM
Updated: Jan 22, 2026, 3:30 AM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
2.5exploitability
5.0remediation
7.7relevance
2.3threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.