Sigstore TUF Client Vulnerability (CVE-2026-24137): Path Traversal Flaw Allows Arbitrary File Writes

A critical security flaw has been identified in the legacy TUF client within the widely-used Sigstore software supply chain security project. The vulnerability, tracked as CVE-2026-24137, allows for arbitrary file writes via a path traversal attack. The core failure is in the client's file caching mechanism, which constructs a filesystem path by joining a cache base directory with a target name from signed metadata. Crucially, the client does not validate that the final constructed path remains confined within the intended cache directory, enabling an attacker to write files to unintended locations on the host system.

This vulnerability resides in the `pkg/tuf/client.go` file of the sigstore/sigstore library. The flaw specifically impacts clients that directly utilize this legacy TUF client or are running older versions of the Cosign signing tool, which depends on the library. The issue was addressed in version 1.10.4 of the github.com/sigstore/sigstore module, prompting an automated dependency update pull request to upgrade from the vulnerable version 1.9.5.

The discovery of this path traversal weakness places immediate pressure on organizations and developers relying on Sigstore's TUF client for secure software artifact verification and caching. While the fix is available, the vulnerability underscores the persistent risks in software supply chain security tooling, where a single flaw in a foundational library can compromise the integrity of the entire caching and verification process. Projects must urgently audit their dependencies to ensure they are not exposed to this arbitrary file write risk.