The vulnerability exists in the legacy TUF client used by the sigstore framework in versions 1.10.3 and earlier. When fetching target files, the client constructs a filesystem path by joining a cache base directory with a target name that comes from signed target metadata. Because the path is not validated, a malicious TUF repository can supply a target name that, when joined, points to a location outside the intended cache directory. This omission allows an attacker to overwrite any file on disk that the running process can access, potentially altering configuration files, scripts, or other sensitive data. The flaw is a classic directory traversal leading to arbitrary file write, as identified by CWE‑22, and confers no direct remote code execution capability, but could be a vector for privilege escalation depending on the file targeted.

Affected clients are those that use the sigstore/sigstore Go library directly and include versions 1.10.3 or older, or older releases of Cosign that embed this library. Public deployments of Sigstore itself are not impacted because TUF metadata is validated by a quorum of trusted collaborators. The vulnerability would affect any environment where the legacy TUF client has disk caching enabled and the caller runs with elevated permissions.

The CVSS score of 5.8 signals a moderate level of risk. The EPSS score indicates a very low probability of exploitation (<1%). The vulnerability is not listed in CISA’s KEV catalog, which further suggests limited current exploitation activity. An attacker would need ability to supply malicious TUF repository metadata to a client that trusts that repository; the attack vector is local to the client’s execution environment. No public exploit has been documented, and remediation is straightforward through a library update or configuration change.