CVE-2025-2885
MEDIUMAmazon Tough < 0.20.0 - Arbitrary Metadata Version Spoofing via Root Metadata Validation Bypass
Title source: llmDescription
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
Release Notes patch
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
Scores
CVSS v3
4.5
EPSS
0.0026
EPSS Percentile
48.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1288
Status
published
Products (2)
amazon/tough
< 0.20.0
crates.io/tough
0 - 0.20.0crates.io
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026