Tough
CVE-2025-2888
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
AnalysisAI
During a snapshot rollback, the client incorrectly caches the timestamp metadata. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-1025. During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. Affected products include: Amazon Tough. Version information: version 0.20.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signat
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated
Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated us
Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated sig
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated
During a target rollback, the client fails to detect the rollback for delegated targets. Rated medium severity (CVSS 5.7
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to th
Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even a
Same weakness CWE-1025 – Comparison Using Wrong Factors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today