fix(deps): update module github.com/sigstore/rekor to v1.5.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/sigstore/rekor	v1.3.8 → v1.5.0

---

Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL

CVE-2026-24117 / GHSA-4c4x-jm2x-pf9j

More information

Details

Summary

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

Impact

• SSRF to cloud metadata (169.254.169.254)
• SSRF to internal Kubernetes APIs
• SSRF to any service accessible from Fulcio's network

Patches

Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.

Workarounds

Disable the search endpoint with --enable_retrieve_api=false.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
• https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
• https://github.com/sigstore/rekor/releases/tag/v1.5.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-24117
• https://github.com/advisories/GHSA-4c4x-jm2x-pf9j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Rekor's COSE v0.0.1 entry type nil pointer dereference in Canonicalize via empty Message

CVE-2026-23831 / GHSA-273p-m2cw-6833

More information

Details

Summary

Rekor’s cose v0.0.1 entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message. validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload.

Impact

A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

Patches

Upgrade to v1.5.0

Workarounds

None

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833
• https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd
• https://github.com/sigstore/rekor/releases/tag/v1.5.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-23831
• https://github.com/advisories/GHSA-273p-m2cw-6833

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sigstore/rekor (github.com/sigstore/rekor)

v1.5.0

Compare Source

This release fixes GHSA-273p-m2cw-6833 and GHSA-4c4x-jm2x-pf9j. Note that this
drops support for fetching public keys via URL when querying the search API.

Vulnerability Fixes

• Handle malformed COSE and DSSE entries (#​2729)
• Drop support for fetching public keys by URL in the search index (#​2731)

Features

• Add support for a custom TLS config for clients (#​2709)

v1.4.3

Compare Source

This release reduces dependencies for a number of exported packages.

This release also changes the format of the binary and container signature, which is now a
Sigstore bundle. To verify a release, use the
latest Cosign 3.x, verifying with
cosign verify-blob --bundle <artifact>-keyless.sigstore.json <artifact>.

Improvements

• use interruptable context to elegantly handle signals in rekor-cli (#​2681)
• restapi: Don't log client errors as errors (#​2680)
• pkg: separate pki types from implementations (#​2668)
• e2e: don't mix e2e and regular utilities (#​2672)
• pkg: remove viper config from spec definitions (#​2669)
• log: remove zap & go-chi dependecy from pkg/types (#​2667)
• chore: update go-openapi/runtime to v0.29.0 (#​2670)
• chore: remove double imported mapstructure pkg (#​2671)
• remove archived dependency and use stdlib slices (#​2650)

Documentation

• (docs): guard unsafe int/uint conversions flagged by gosec (#​2679)

Contributors

• AdamKorcz
• Bob Callaway
• Jussi Kukkonen
• Sachin Sampras M
• Tõnis Tiigi

v1.4.2

Compare Source

This release includes some performance optimizations and a bug fix for publishing events to a pub/sub topic.

Fixes

• use pubsub client to check IAM permissions (#​2605)
• process type contents serially (#​2604)
• move to direct decoding instead of mapstructure (#​2598)
• optimize performance of regex operations (#​2603)

Contributors

• Bob Callaway

v1.4.1

Compare Source

This release includes updated dependencies for known CVEs, as well as some optimizations to minimize gRPC traffic between Rekor and Trillian.

Fixes

• use less expensive gRPC call to implement GetLeafAndProofByHash (#​2581)
• move to per-shard trillian client manager (#​2564)
• use cheaper gRPC endpoint when we already have the inclusion proof (#​2580)
• simplify hash and signature verification in rekord type (#​2579)
• use correct type; just look for len() instead of nil check (#​2576)
• return correct error if GetLeafAndProofByHash fails (#​2574)
• fix incorrect client lb policy in test config (#​2551)
• numerous upgraded dependencies

Contributors

• Bob Callaway
• Carlos Alexandro Becker

v1.4.0

Compare Source

This is a minor version release given the removal of the stable checkpoint feature. To our knowledge, this was not
used effectively anywhere and therefore was removed from Rekor v1. Witnessing will be added as part of the upcoming
Rekor v2 release.

Features

• enable retries and timeouts on GCP KMS calls (#​2548)
• allow configuring gRPC default service config for trillian client load balancing & timeouts (#​2549)
• move context handling in trillian RPC calls to be request based and idiomatic (#​2536)

Fixes

• Fix docker compose up --wait failing when Trillian server isn't healthy (#​2473)
• better mysql healthcheck (#​2459)
• numerous upgraded dependencies, including moving to go 1.24

Removed

• remove stable checkpoint feature (#​2537)
• Don't initialize index storage with stable checkpoint publishing (#​2486)

Contributors

• Bob Callaway
• Carlos Tadeu Panato Junior
• Emmanuel Ferdman
• Hayden B
• Ramon Petgrave

v1.3.10

Compare Source

Note that Rekor v1 is in maintenance mode as we are actively developing
its successor, Rekor v2, designed to be easy to maintain and cheaper to operate.. See the
README
for more information.

Features

• Added --client-signing-algorithms flag (#​1974)

Fixes / Misc

• emit unpopulated values when marshalling (#​2438)
• pkg/api: better logs when algorithm registry rejects a key (#​2429)
• chore: improve mysql readiness checks (#​2397)

Contributors

• Bob Callaway
• cangqiaoyuzhuo
• Carlos Tadeu Panato Junior
• cpanato
• Hayden B
• Praful Khanduri
• Ramon Petgrave
• Riccardo Schirone
• rubyisrust
• Sascha Grunert

v1.3.9

Compare Source

Features

• Cache checkpoint for inactive shards (#​2332)
• Support per-shard signing keys (#​2330)

Contributors

• Hayden B

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 4am"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 43 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.23.2 -> 1.25.0
github.com/go-openapi/runtime	v0.28.0 -> v0.29.2
github.com/google/go-cmp	v0.6.0 -> v0.7.0
github.com/google/trillian	v1.7.1 -> v1.7.2
github.com/secure-systems-lab/go-securesystemslib	v0.9.0 -> v0.9.1
github.com/sigstore/sigstore	v1.8.12 -> v1.10.3
github.com/google/go-containerregistry	v0.20.3 -> v0.20.7
github.com/spf13/cobra	v1.8.1 -> v1.10.2
golang.org/x/mod	v0.25.0 -> v0.30.0
sigs.k8s.io/release-utils	v0.9.0 -> v0.12.3
github.com/go-jose/go-jose/v4	v4.0.5 -> v4.1.3
go.opentelemetry.io/auto/sdk	v1.1.0 -> v1.2.1
go.opentelemetry.io/otel/metric	v1.33.0 -> v1.38.0
github.com/containerd/stargz-snapshotter/estargz	v0.16.3 -> v0.18.1
github.com/docker/cli	v27.5.0+incompatible -> v29.0.3+incompatible
github.com/docker/docker-credential-helpers	v0.8.2 -> v0.9.3
github.com/go-openapi/analysis	v0.23.0 -> v0.24.1
github.com/go-openapi/errors	v0.22.0 -> v0.22.6
github.com/go-openapi/jsonpointer	v0.21.0 -> v0.22.4
github.com/go-openapi/jsonreference	v0.21.0 -> v0.21.4
github.com/go-openapi/loads	v0.22.0 -> v0.23.2
github.com/go-openapi/spec	v0.21.0 -> v0.22.3
github.com/go-openapi/validate	v0.24.0 -> v0.25.1
github.com/google/certificate-transparency-go	v1.2.1 -> v1.3.2-0.20250507091337-0eddb39e94f8
github.com/hashicorp/go-retryablehttp	v0.7.7 -> v0.7.8
github.com/hashicorp/hcl	v1.0.1-vault-5 -> v1.0.1-vault-7
github.com/opencontainers/image-spec	v1.1.0 -> v1.1.1
github.com/sigstore/protobuf-specs	v0.3.3 -> v0.5.0
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4
github.com/vbatts/tar-split	v0.11.6 -> v0.12.2
go.mongodb.org/mongo-driver	v1.14.0 -> v1.17.6
go.opentelemetry.io/otel	v1.33.0 -> v1.38.0
go.opentelemetry.io/otel/trace	v1.33.0 -> v1.38.0
go.uber.org/zap	v1.27.0 -> v1.27.1
golang.org/x/crypto	v0.36.0 -> v0.46.0
golang.org/x/exp	v0.0.0-20250606033433-dcc06ee1d476 -> v0.0.0-20250620022241-b7579e27df2b
golang.org/x/net	v0.38.0 -> v0.48.0
golang.org/x/sync	v0.15.0 -> v0.19.0
golang.org/x/sys	v0.31.0 -> v0.39.0
golang.org/x/term	v0.30.0 -> v0.38.0
golang.org/x/text	v0.23.0 -> v0.32.0
google.golang.org/grpc	v1.69.4 -> v1.78.0
google.golang.org/protobuf	v1.36.3 -> v1.36.11
sigs.k8s.io/yaml	v1.4.0 -> v1.6.0