Missing root metatdata version validation in Tough (v0.20.0+)
CVE-2025-2885 Published on March 27, 2025
Root metadata version not validated in tough
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
Weakness Type
Improper Validation of Consistency within Input
The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.
Products Associated with CVE-2025-2885
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS tough:- Version 0.1.0 and below 0.20.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.