CVE-2025-2886
MEDIUMAmazon Tough < 0.20.0 - Incorrect Target Source Validation via Delegation Chain
Title source: llmDescription
Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
Release Notes patch
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
Scores
CVSS v3
4.5
EPSS
0.0027
EPSS Percentile
18.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-670
Status
published
Products (2)
amazon/tough
< 0.20.0
crates.io/tough
0 - 0.20.0crates.io
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026