CVE-2025-2887
MEDIUMAmazon Tough < 0.20.0 - Incorrect Target Rollback Detection
Title source: llmDescription
During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
Release Notes patch
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
Scores
CVSS v3
4.5
EPSS
0.0024
EPSS Percentile
47.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1025
Status
published
Products (2)
amazon/tough
< 0.20.0
crates.io/tough
0 - 0.20.0crates.io
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026