CVE-2025-2888

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2888
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

4.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/ Vendor Advisory
https://github.com/awslabs/tough/releases/tag/tough-v0.20.0
https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*
History

14 Oct 2025, 19:15

Type Values Removed Values Added
References
  • () https://github.com/awslabs/tough/releases/tag/tough-v0.20.0 -

19 Sep 2025, 14:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.5
CPE cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*
First Time Amazon
Amazon tough
References () https://aws.amazon.com/security/security-bulletins/AWS-2025-007/ - () https://aws.amazon.com/security/security-bulletins/AWS-2025-007/ - Vendor Advisory
References () https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4 - () https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4 - Vendor Advisory
Summary
  • (es) Durante la reversión de una instantánea, el cliente almacena incorrectamente en caché los metadatos de la marca de tiempo. Si el cliente revisa la caché al intentar realizar la siguiente actualización, la validación de la marca de tiempo fallará, impidiendo la siguiente actualización hasta que se borre la caché. Los usuarios deben actualizar a la versión 0.20.0 o posterior y asegurarse de que cualquier código derivado o bifurcado esté parcheado para incorporar las nuevas correcciones.

27 Mar 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-27 23:15

Updated : 2025-10-14 19:15

NVD link : CVE-2025-2888

Mitre link : CVE-2025-2888

CVE.ORG link : CVE-2025-2888

JSON object : View

Products Affected

amazon

  • tough
CWE
CWE-1025

Comparison Using Wrong Factors