Timestamp Metadata Caching Issue in Tough by AWS
CVE-2025-2888

5.7MEDIUM

Key Information:

Vendor: Aws
Status: Tough
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-2888?

A vulnerability in Tough, a library developed by AWS, arises when the client improperly caches timestamp metadata during a snapshot rollback. This caching issue leads to failed update timestamp validation, effectively halting subsequent updates until the cache is manually cleared. To mitigate this risk, users are strongly advised to upgrade to Tough version 0.20.0 or later, ensuring any forked or derivative code is also patched to implement the necessary fixes.

Affected Version(s)

tough 0.1.0 < 0.20.0

References

https://github.com/awslabs/tough/security/advisories/GHSA...

https://aws.amazon.com/security/security-bulletins/AWS-20...

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 27, 2025

Aws

What is CVE-2025-2888?

Affected Version(s)

References

CVSS V4

Timeline