Publication Date: 2025/03/27 02:30PM PDT
Description
The Update Framework (TUF) is a software framework designed to protect mechanisms that automatically identify and download updates to software. tough is a Rust client library for TUF repositories.
AWS is aware of the following issues within tough, versions prior to 0.20.0. On March 27, 2025, we released a fix in tough 0.20.0 and recommend customers upgrade to address these issues and ensure any forked or derivative code is patched to incorporate the new fixes.
- CVE-2025-2885 relates to an issue with missing validation of the root metadata version number which could allow an actor to supply an unexpected version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client.
- CVE-2025-2886 relates to an issue in the library’s ability to identify the correct signature to verify for content when terminating delegated roles are used.
- CVE-2025-2888 relates to an issue which caused the client to cache timestamp metadata despite it being correctly rejected when a rollback was detected. This could cause tough to subsequently fail to consume valid updates.
- CVE-2025-2887 relates to an issue with incomplete rollback detection when delegated roles are in use. This could lead to tough failing to detect rollbacks that it should have enough information to detect.
Affected version: <0.20.0
Resolution:
Patches for these issues are included in tough >=0.20.0.
References:
We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.