CVE-2025-2887: tough failure to detect delegated target rollback

March 28, 2025 (updated April 2, 2025)

When updating the snapshot role, TUF clients should ensure that any previously encountered targets or delegated targets metadata files continue to be present in new snapshot metadata files. Likewise, the new targets and delegated targets metadata versions must be greater than or equal to the previously encountered versions. While tough will perform this check for targets metadata files, it did not perform this check for delegated targets files.

References

aws.amazon.com/security/security-bulletins/AWS-2025-007
github.com/advisories/GHSA-q6r9-r9pw-4cf7
github.com/awslabs/tough
github.com/awslabs/tough/commit/3345151a87c358d1ce43aeb7e8b3ebea5ebdbab4
github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7
nvd.nist.gov/vuln/detail/CVE-2025-2887

Code Behaviors & Features

Detect and mitigate CVE-2025-2887 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →