Version Number Validation Flaw in Tough by AWS
CVE-2025-2885

5.7MEDIUM

Key Information:

Vendor: Aws
Status: Tough
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-2885?

A flaw in the Tough library by AWS permits an attacker to bypass validation for the root metadata version number. This allows the attacker to provide an arbitrary version number to clients, which may result in the retrieval of a different version than intended from the root metadata file. Users are advised to upgrade to Tough version 0.20.0 or later and to apply necessary patches to any derivative code to address this issue effectively.

Affected Version(s)

tough 0.1.0 < 0.20.0

References

https://github.com/awslabs/tough/security/advisories/GHSA...

https://aws.amazon.com/security/security-bulletins/AWS-20...

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 27, 2025

Aws

What is CVE-2025-2885?

Affected Version(s)

References

CVSS V4

Timeline