Unverified Rollback in Tough Client Before 0.20.0 Allows Wrong Target Fetch
CVE-2025-2887 Published on March 27, 2025
Failure to detect delegated target rollback in tough
During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
Weakness Type
Comparison Using Wrong Factors
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.
Products Associated with CVE-2025-2887
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS tough:- Version 0.1.0 and below 0.20.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.