Amazon Tough
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Amazon Tough.
Recent Amazon Tough Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-04-24 | Issues in tough library and tuftool CLI utility | April 24, 2026 |
| 2025-03-27 | Issue with tough, versions prior to 0.20.0 (Multiple CVEs) | March 27, 2025 |
By the Year
In 2026 there have been 2 vulnerabilities in Amazon Tough with an average score of 5.6 out of ten. Tough did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 5.60 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 7.30 |
| 2020 | 1 | 8.60 |
It may take a day or so for new Tough vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Amazon Tough Security Vulnerabilities
tough <0.22.0: Missing Exp/Hash/Len in Delegated Metadata (CVE-2026-6967)
CVE-2026-6967
5.9 - Medium
- April 24, 2026
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Insufficient Verification of Data Authenticity
Signature Verification Flaw in AWS Tough <0.22.0 (go)
CVE-2026-6966
5.3 - Medium
- April 24, 2026
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
Improper Verification of Cryptographic Signature
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories
CVE-2021-41150
6.5 - Medium
- October 19, 2021
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
Directory traversal
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories
CVE-2021-41149
8.1 - High
- October 19, 2021
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
Directory traversal
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures
CVE-2020-15093
8.6 - High
- July 09, 2020
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.
Improper Verification of Cryptographic Signature
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Amazon Tough or by Amazon? Click the Watch button to subscribe.
