SB2025032830 - Multiple vulnerabilities in tough

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-2885)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the root metadata version is not checked for sequential versioning. A remote administrator can cause the target system to trust content associated with a previous root role.

2) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to cyclic delegation graphs are not detected. A remote administrator can cause the exhausted call stack to cause the process to abort.

3) Comparison using wrong factors (CVE-ID: CVE-2025-2887)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to failure to detect delegated target rollback. A remote administrator can cause the affected software to trust and download outdated targets that it should reject.

4) Comparison using wrong factors (CVE-ID: CVE-2025-2888)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to timestamp metadata is cached when it fails snapshot rollback check. A remote administrator can cause the affected software to subsequently incorrectly identify valid timestamp metadata as being rolled back, preventing the client from consuming valid updates.

5) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2025-2886)

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to terminating targets role delegations are not respected. A remote administrator can provide arbitrary contents to clients for targets owned by the delegating identity.

Remediation

Install update from vendor's website.

References

• https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
• https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47
• https://github.com/awslabs/tough/security/advisories/GHSA-j8x2-777p-23fc
• https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7
• https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4
• https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc