CVE-2025-2887
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-2887
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2887.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-2887
- Aliases
- Published
- 2025-03-27T23:15:35Z
- Modified
- 2025-10-22T10:09:35.703168Z
- Severity
-
- 4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
- References
Affected packages
Git / github.com/awslabs/tough
Affected ranges
- Type
- GIT
- Repo
- https://github.com/awslabs/tough
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
olpc-cjson-v0.*
olpc-cjson-v0.1.0
olpc-cjson-v0.1.1
olpc-cjson-v0.1.2
olpc-cjson-v0.1.3
olpc-cjson-v0.1.4
tough-kms-v0.*
tough-kms-v0.1.0
tough-kms-v0.1.1
tough-kms-v0.10.0
tough-kms-v0.11.0
tough-kms-v0.2.0
tough-kms-v0.3.0
tough-kms-v0.3.1
tough-kms-v0.3.2
tough-kms-v0.3.3
tough-kms-v0.3.4
tough-kms-v0.3.5
tough-kms-v0.3.6
tough-kms-v0.4.0
tough-kms-v0.4.1
tough-kms-v0.4.2
tough-kms-v0.5.0
tough-kms-v0.6.0
tough-kms-v0.7.0
tough-kms-v0.8.0
tough-kms-v0.9.0
tough-ssm-v0.*
tough-ssm-v0.1.0
tough-ssm-v0.10.0
tough-ssm-v0.11.0
tough-ssm-v0.12.0
tough-ssm-v0.13.0
tough-ssm-v0.14.0
tough-ssm-v0.2.0
tough-ssm-v0.3.0
tough-ssm-v0.4.0
tough-ssm-v0.5.0
tough-ssm-v0.6.0
tough-ssm-v0.6.1
tough-ssm-v0.6.2
tough-ssm-v0.6.3
tough-ssm-v0.6.4
tough-ssm-v0.6.5
tough-ssm-v0.6.6
tough-ssm-v0.7.0
tough-ssm-v0.7.1
tough-ssm-v0.7.2
tough-ssm-v0.8.0
tough-ssm-v0.9.0
tough-v0.*
tough-v0.1.0
tough-v0.10.0
tough-v0.11.0
tough-v0.11.1
tough-v0.11.2
tough-v0.11.3
tough-v0.12.0
tough-v0.12.1
tough-v0.12.2
tough-v0.12.3
tough-v0.12.4
tough-v0.12.5
tough-v0.13.0
tough-v0.14.0
tough-v0.15.0
tough-v0.16.0
tough-v0.17.0
tough-v0.17.1
tough-v0.18.0
tough-v0.19.0
tough-v0.2.0
tough-v0.3.0
tough-v0.4.0
tough-v0.5.0
tough-v0.6.0
tough-v0.7.0
tough-v0.7.1
tough-v0.8.0
tough-v0.9.0
tuftool-v0.*
tuftool-v0.1.0
tuftool-v0.1.1
tuftool-v0.10.0
tuftool-v0.10.1
tuftool-v0.10.2
tuftool-v0.10.3
tuftool-v0.11.0
tuftool-v0.11.1
tuftool-v0.12.0
tuftool-v0.2.0
tuftool-v0.3.0
tuftool-v0.4.0
tuftool-v0.4.1
tuftool-v0.5.0
tuftool-v0.6.0
tuftool-v0.6.1
tuftool-v0.6.2
tuftool-v0.6.3
tuftool-v0.6.4
tuftool-v0.7.0
tuftool-v0.7.1
tuftool-v0.7.2
tuftool-v0.8.0
tuftool-v0.8.1
tuftool-v0.8.2
tuftool-v0.9.0