CVE-2025-2888
MEDIUMAmazon Tough < 0.20.0 - Incorrect Timestamp Validation During Snapshot Rollback
Title source: llmDescription
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
Release Notes patch
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
Scores
CVSS v3
4.5
EPSS
0.0026
EPSS Percentile
48.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1025
Status
published
Products (2)
amazon/tough
< 0.20.0
crates.io/tough
0 - 0.20.0crates.io
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026