tough v0.20.0: Rollback Timestamp Cache Validation Denial
CVE-2025-2888 Published on March 27, 2025
Improper timestamp caching during snapshot rollback in tough
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
Weakness Type
Comparison Using Wrong Factors
The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two "equal" objects to be considered unequal.
Products Associated with CVE-2025-2888
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS tough:- Version 0.1.0 and below 0.20.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.