CVE-2025-2886: tough terminating targets role delegations are not respected

March 28, 2025 (updated April 2, 2025)

Delegations are a mechanism defined by the TUF specification that allow multiple different identities to provide and sign content within a single repository. Terminating delegations and delegation priority give a TUF repository unambiguous control over how overlapping delegations are resolved. tough erroneously will not terminate a search as required, and will accept information from a lower-priority delegation that should have been ignored.

References

aws.amazon.com/security/security-bulletins/AWS-2025-007
github.com/advisories/GHSA-v4wr-j3w6-mxqc
github.com/awslabs/tough
github.com/awslabs/tough/commit/598111f88105a707ee68b0fa06c52da7176ea96a
github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc
nvd.nist.gov/vuln/detail/CVE-2025-2886

Code Behaviors & Features

Detect and mitigate CVE-2025-2886 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →