Client Configuration Vulnerability in Tough by AWS
CVE-2025-2886

5.7MEDIUM

Key Information:

Vendor: Aws
Status: Tough
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-2886?

A validation issue in the Tough library allows a client to continue fetching data from a specified delegation list, even after reaching a termination point. This misconfiguration can lead to the retrieval of target contents from incorrect sources, potentially compromising the integrity of data. It is crucial for users of Tough to upgrade to version 0.20.0 or later and ensure that any custom or forked versions include the necessary patches to mitigate this vulnerability.

Affected Version(s)

tough 0.1.0 < 0.20.0

References

https://github.com/awslabs/tough/security/advisories/GHSA...

https://aws.amazon.com/security/security-bulletins/AWS-20...

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 27, 2025

Aws

What is CVE-2025-2886?

Affected Version(s)

References

CVSS V4

Timeline