Multiple vulnerabilities in tough
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2025-2885 CVE-2025-2887 CVE-2025-2888 CVE-2025-2886 |
| CWE-ID | CWE-20 CWE-1025 CWE-670 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
tough Web applications / JS libraries |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU106239
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2885
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the root metadata version is not checked for sequential versioning. A remote administrator can cause the target system to trust content associated with a previous root role.
MitigationInstall updates from vendor's website.
Vulnerable software versionstough: 0.1.0 - 0.19.0
CPE2.3- cpe:2.3:a:amazon_web_services:tough:0.1.0:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.1:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.2:*:*:*:*:the_update_framework_tuf:*:*
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU106243
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to cyclic delegation graphs are not detected. A remote administrator can cause the exhausted call stack to cause the process to abort.
MitigationInstall updates from vendor's website.
Vulnerable software versionstough: 0.1.0 - 0.19.0
CPE2.3- cpe:2.3:a:amazon_web_services:tough:0.1.0:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.1:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.2:*:*:*:*:the_update_framework_tuf:*:*
https://github.com/awslabs/tough/security/advisories/GHSA-j8x2-777p-23fc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Comparison using wrong factors
EUVDB-ID: #VU106242
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2887
CWE-ID:
CWE-1025 - Comparison using wrong factors
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to failure to detect delegated target rollback. A remote administrator can cause the affected software to trust and download outdated targets that it should reject.
MitigationInstall updates from vendor's website.
Vulnerable software versionstough: 0.1.0 - 0.19.0
CPE2.3- cpe:2.3:a:amazon_web_services:tough:0.1.0:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.1:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.2:*:*:*:*:the_update_framework_tuf:*:*
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Comparison using wrong factors
EUVDB-ID: #VU106241
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2888
CWE-ID:
CWE-1025 - Comparison using wrong factors
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to timestamp metadata is cached when it fails snapshot rollback check. A remote administrator can cause the affected software to subsequently incorrectly identify valid timestamp metadata as being rolled back, preventing the client from consuming valid updates.
MitigationInstall updates from vendor's website.
Vulnerable software versionstough: 0.1.0 - 0.19.0
CPE2.3- cpe:2.3:a:amazon_web_services:tough:0.1.0:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.1:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.2:*:*:*:*:the_update_framework_tuf:*:*
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Always-Incorrect Control Flow Implementation
EUVDB-ID: #VU106240
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2886
CWE-ID:
CWE-670 - Always-Incorrect Control Flow Implementation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to terminating targets role delegations are not respected. A remote administrator can provide arbitrary contents to clients for targets owned by the delegating identity.
MitigationInstall updates from vendor's website.
Vulnerable software versionstough: 0.1.0 - 0.19.0
CPE2.3- cpe:2.3:a:amazon_web_services:tough:0.1.0:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.1:*:*:*:*:the_update_framework_tuf:*:*
- cpe:2.3:a:amazon_web_services:tough:0.1.2:*:*:*:*:the_update_framework_tuf:*:*
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
