CVE-2025-2885

EPSS 0.04%
Veröffentlicht 27.03.2025 22:18:11
Zuletzt bearbeitet 19.09.2025 14:31:49
Quelle ff89ba41-3aa1-4d27-914a-91399e
Teams Watchlist Login
Unerledigt Login

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Amazon ≫ Tough SwPlatformrust Version < 0.20.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.123

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
ff89ba41-3aa1-4d27-914a-91399e9639e5	5.7	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1288 Improper Validation of Consistency within Input

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47

Vendor Advisory

https://aws.amazon.com/security/security-bulletins/AWS-2025-007/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-2885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2885

EUVD