Rollback Vulnerability in Tough Client by AWS
CVE-2025-2887

5.7MEDIUM

Key Information:

Vendor: Aws
Status: Tough
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-2887?

The Tough client by AWS contains a vulnerability that arises during the process of rolling back to a target. This flaw prevents the client from accurately detecting the rollback for delegated targets, potentially allowing the client to retrieve a target from an incorrect source. As a result, this could lead to unintended alterations in the contents of the target. To mitigate this risk, users are urged to upgrade to Tough version 0.20.0 or later and ensure that any forked or derivative code is updated with the latest patches to incorporate the necessary fixes.

Affected Version(s)

tough 0.1.0 < 0.20.0

References

https://github.com/awslabs/tough/security/advisories/GHSA...

https://aws.amazon.com/security/security-bulletins/AWS-20...

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 27, 2025

Aws

What is CVE-2025-2887?

Affected Version(s)

References

CVSS V4

Timeline