CVE-2025-2886

Source
https://cve.org/CVERecord?id=CVE-2025-2886
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2886.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-2886
Aliases
Published
2025-03-27T22:22:14.382Z
Modified
2026-07-08T07:38:54.772853275Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Terminating targets role delegations are not respected in tough
Details

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/2xxx/CVE-2025-2886.json",
    "cwe_ids": [
        "CWE-670"
    ],
    "cna_assigner": "AMZN"
}
References

Affected packages

Git / github.com/awslabs/tough

Affected ranges

Type
GIT
Repo
https://github.com/awslabs/tough
Events
Database specific
{
    "cpe": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "fixed": "0.20.0"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

olpc-cjson-v0.*
olpc-cjson-v0.1.0
olpc-cjson-v0.1.1
olpc-cjson-v0.1.2
olpc-cjson-v0.1.3
olpc-cjson-v0.1.4
tough-kms-v0.*
tough-kms-v0.1.0
tough-kms-v0.1.1
tough-kms-v0.10.0
tough-kms-v0.11.0
tough-kms-v0.3.1
tough-kms-v0.3.2
tough-kms-v0.3.3
tough-kms-v0.3.4
tough-kms-v0.3.6
tough-kms-v0.4.0
tough-kms-v0.4.1
tough-kms-v0.4.2
tough-kms-v0.5.0
tough-kms-v0.6.0
tough-kms-v0.7.0
tough-kms-v0.8.0
tough-kms-v0.9.0
tough-ssm-v0.*
tough-ssm-v0.1.0
tough-ssm-v0.10.0
tough-ssm-v0.11.0
tough-ssm-v0.12.0
tough-ssm-v0.13.0
tough-ssm-v0.14.0
tough-ssm-v0.2.0
tough-ssm-v0.3.0
tough-ssm-v0.4.0
tough-ssm-v0.6.1
tough-ssm-v0.6.2
tough-ssm-v0.6.3
tough-ssm-v0.6.4
tough-ssm-v0.6.6
tough-ssm-v0.7.0
tough-ssm-v0.7.1
tough-ssm-v0.7.2
tough-ssm-v0.8.0
tough-ssm-v0.9.0
tough-v0.*
tough-v0.1.0
tough-v0.11.1
tough-v0.11.2
tough-v0.11.3
tough-v0.12.0
tough-v0.12.2
tough-v0.12.3
tough-v0.12.4
tough-v0.12.5
tough-v0.13.0
tough-v0.14.0
tough-v0.15.0
tough-v0.16.0
tough-v0.17.0
tough-v0.17.1
tough-v0.18.0
tough-v0.19.0
tough-v0.2.0
tough-v0.3.0
tough-v0.4.0
tough-v0.5.0
tough-v0.6.0
tough-v0.7.0
tough-v0.8.0
tough-v0.9.0
tuftool-v0.*
tuftool-v0.1.0
tuftool-v0.1.1
tuftool-v0.10.0
tuftool-v0.10.1
tuftool-v0.10.2
tuftool-v0.10.3
tuftool-v0.11.0
tuftool-v0.11.1
tuftool-v0.12.0
tuftool-v0.2.0
tuftool-v0.3.0
tuftool-v0.4.0
tuftool-v0.4.1
tuftool-v0.5.0
tuftool-v0.6.2
tuftool-v0.6.3
tuftool-v0.6.4
tuftool-v0.7.0
tuftool-v0.7.2
tuftool-v0.8.0
tuftool-v0.8.1
tuftool-v0.8.2
tuftool-v0.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2886.json"