CVE-2025-2885: tough root metadata version is not checked for sequential versioning

March 28, 2025 (updated April 2, 2025)

When updating the root role, a TUF client must establish a trusted line of continuity to the latest set of keys. While sequentially downloading new versions of the root metadata file, tough will not check that the root object version it received was the next sequential version from the previously trusted root metadata.

References

aws.amazon.com/security/security-bulletins/AWS-2025-007
github.com/advisories/GHSA-5vmp-m5v2-hx47
github.com/awslabs/tough
github.com/awslabs/tough/commit/0eeb60aefe27f00b65730634b788a1aafb8bf3c6
github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47
nvd.nist.gov/vuln/detail/CVE-2025-2885

Code Behaviors & Features

Detect and mitigate CVE-2025-2885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →