#VU106242 Comparison using wrong factors in tough - CVE-2025-2887

Cybersecurity Help s.r.o.

Published: 2025-03-28

Vulnerability identifier: #VU106242

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-2887

CWE-ID: CWE-1025

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tough
Web applications / JS libraries

Vendor: Amazon Web Services

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to failure to detect delegated target rollback. A remote administrator can cause the affected software to trust and download outdated targets that it should reject.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

tough: 0.1.0 - 0.19.0

External links
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in tough