CVE-2025-2885

EPSS 0.04%
Published 27.03.2025 22:18:11
Last modified 19.09.2025 14:31:49
Source ff89ba41-3aa1-4d27-914a-91399e
Teams watchlist Login
Open Login

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Amazon ≫ Tough SwPlatformrust Version < 0.20.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.123

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
ff89ba41-3aa1-4d27-914a-91399e9639e5	5.7	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1288 Improper Validation of Consistency within Input

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47

Vendor Advisory

https://aws.amazon.com/security/security-bulletins/AWS-2025-007/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-2885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-2885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-2885

EUVD