CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/	Vendor Advisory
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

History

No history.

Information

Published : 2025-03-27 23:15

Updated : 2025-10-14 19:15

NVD link : CVE-2025-2887

Mitre link : CVE-2025-2887

CVE.ORG link : CVE-2025-2887

JSON object : View

Products Affected

amazon

tough

CWE

CWE-1025

Comparison Using Wrong Factors

{"id": "CVE-2025-2887", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-27T23:15:35.560", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-1025"}]}], "descriptions": [{"lang": "en", "value": "During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."}, {"lang": "es", "value": "Durante la reversi\u00f3n de un objetivo, el cliente no detecta la reversi\u00f3n de los objetivos delegados. Esto podr\u00eda provocar que el cliente obtenga un objetivo de una fuente incorrecta, alterando su contenido. Los usuarios deben actualizar a la versi\u00f3n 0.20.0 o posterior y asegurarse de que cualquier c\u00f3digo derivado o bifurcado est\u00e9 parcheado para incorporar las nuevas correcciones."}], "lastModified": "2025-10-14T19:15:39.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "E16D23E6-5B9B-4ADF-AD1E-FD483707F5C1", "versionEndExcluding": "0.20.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}