Skip to main content

Tough

9 CVEs product

Monthly

CVE-2026-6968 HIGH PATCH NEWS This Week

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

Path Traversal Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-6967 Cargo HIGH PATCH GHSA This Week

Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.

Authentication Bypass Tough Tuftool
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-2888 Cargo MEDIUM PATCH This Month

During a snapshot rollback, the client incorrectly caches the timestamp metadata. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
CVSS 4.0
5.7
EPSS
0.2%
CVE-2025-2887 Cargo MEDIUM PATCH This Month

During a target rollback, the client fails to detect the rollback for delegated targets. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
CVSS 4.0
5.7
EPSS
0.2%
CVE-2025-2886 Cargo MEDIUM PATCH This Month

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
CVSS 4.0
5.7
EPSS
0.1%
CVE-2025-2885 Cargo MEDIUM PATCH This Month

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

RCE Tough
NVD GitHub
CVSS 4.0
5.7
EPSS
0.2%
CVE-2021-41150 Cargo MEDIUM PATCH This Month

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tough
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-41149 Cargo HIGH PATCH This Week

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tough
NVD GitHub
CVSS 3.1
8.1
EPSS
1.1%
CVE-2020-15093 Cargo HIGH PATCH This Week

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Tough
NVD GitHub
CVSS 3.1
8.6
EPSS
1.4%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal vulnerabilities in AWS Tough (a Rust TUF client library) versions prior to 0.22.0 enable authenticated users with delegated signing privileges to write arbitrary files outside intended repository directories, bypassing incomplete fixes from previous security patches. The flaws exist in three distinct code paths: absolute target names in copy_target/link_target operations, symlinked parent directories in save_target, and symlinked metadata filenames in SignedRole::write. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0 that implement post-resolution path containment verification. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 7.1 HIGH reflects significant integrity impact when exploited.

Path Traversal Tough Tuftool
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Metadata integrity bypass in AWS tough (TUF client library) before v0.22.0 allows authenticated users with delegated signing authority to poison local metadata caches by bypassing expiration, hash, and length validation checks. The vulnerability exists because load_delegations skips specification-mandated integrity checks applied to top-level targets metadata, enabling malicious delegated signers to inject invalid metadata. AWS has released patches in tough-v0.22.0 and tuftool-v0.15.0. CVSS 7.1 reflects network vector but high attack complexity (AT:P indicates specialized conditions). No public exploit or active exploitation confirmed at time of analysis, though authentication bypass tag suggests significant trust boundary violation.

Authentication Bypass Tough Tuftool
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

During a snapshot rollback, the client incorrectly caches the timestamp metadata. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

During a target rollback, the client fails to detect the rollback for delegated targets. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Tough
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable. No vendor patch available.

RCE Tough
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tough
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Tough
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Tough
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy