CVSS Score: 7.5 Published: 2026-03-11 Full Report: https://cvereports.com/reports/CVE-2026-31830
sigstore-ruby prior to version 0.2.3 contains a critical logic flaw in its verification routine for DSSE bundles. An unchecked return value allows an attacker to bypass artifact binding checks, facilitating supply chain attacks via artifact swapping.
A missing return value check in sigstore-ruby allows attackers to bind legitimate Sigstore signatures to malicious artifacts, achieving complete verification bypass.
- CWE ID: CWE-252 (Unchecked Return Value)
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- EPSS Score: 0
- Impact: Integrity Bypass / Supply Chain Compromise
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
- sigstore-ruby < 0.2.3
- Ruby applications implementing Sigstore DSSE bundle verification
- sigstore-ruby: < 0.2.3 (Fixed in:
0.2.3)
- Upgrade sigstore-ruby to version 0.2.3 or higher.
- Implement manual digest verification of in-toto payloads if patching is delayed.
- Audit CI/CD pipeline logs for instances of unexpected artifact digest mismatches prior to patch application.
Remediation Steps:
- Identify all projects utilizing sigstore-ruby in Gemfile or gemspec.
- Update the version constraint to require >= 0.2.3.
- Run bundle update sigstore-ruby.
- Execute the project's test suite to ensure the updated verification logic functions correctly with valid bundles.
- Deploy the updated application to production and CI environments.
Generated by CVEReports - Automated Vulnerability Intelligence