CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/	Vendor Advisory
https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

History

19 Sep 2025, 14:30

Type	Values Removed	Values Added
Summary		(es) Durante la reversión de un objetivo, el cliente no detecta la reversión de los objetivos delegados. Esto podría provocar que el cliente obtenga un objetivo de una fuente incorrecta, alterando su contenido. Los usuarios deben actualizar a la versión 0.20.0 o posterior y asegurarse de que cualquier código derivado o bifurcado esté parcheado para incorporar las nuevas correcciones.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.5
References	~~() https://aws.amazon.com/security/security-bulletins/AWS-2025-007/ -~~	() https://aws.amazon.com/security/security-bulletins/AWS-2025-007/ - Vendor Advisory
References	~~() https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7 -~~	() https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7 - Vendor Advisory
First Time		Amazon tough Amazon
CPE		cpe:2.3:a:amazon:tough::::::rust::*

27 Mar 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-27 23:15

Updated : 2025-09-19 14:30

NVD link : CVE-2025-2887

Mitre link : CVE-2025-2887

CVE.ORG link : CVE-2025-2887

JSON object : View

Products Affected

amazon

tough

CWE

CWE-1025

Comparison Using Wrong Factors

{"id": "CVE-2025-2887", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-27T23:15:35.560", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-1025"}]}], "descriptions": [{"lang": "en", "value": "During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."}, {"lang": "es", "value": "Durante la reversi\u00f3n de un objetivo, el cliente no detecta la reversi\u00f3n de los objetivos delegados. Esto podr\u00eda provocar que el cliente obtenga un objetivo de una fuente incorrecta, alterando su contenido. Los usuarios deben actualizar a la versi\u00f3n 0.20.0 o posterior y asegurarse de que cualquier c\u00f3digo derivado o bifurcado est\u00e9 parcheado para incorporar las nuevas correcciones."}], "lastModified": "2025-09-19T14:30:31.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "E16D23E6-5B9B-4ADF-AD1E-FD483707F5C1", "versionEndExcluding": "0.20.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}