CVE-2025-2888: tough timestamp metadata is cached when it fails snapshot rollback check

March 28, 2025 (updated April 2, 2025)

TUF repositories use the timestamp role to protect against rollback events by enabling an automated process to periodically sign the role’s metadata. While tough will ensure that the version of snapshot metadata in new timestamp metadata files was always greater than or equal to the previously trusted version, it will only do so after persisting the timestamp metadata to its cache.

References

aws.amazon.com/security/security-bulletins/AWS-2025-007
github.com/advisories/GHSA-76g3-38jv-wxh4
github.com/awslabs/tough
github.com/awslabs/tough/commit/9b400e1c8b7d6b9ab8009104fa7fe5884db05f18
github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4
nvd.nist.gov/vuln/detail/CVE-2025-2888

Code Behaviors & Features

Detect and mitigate CVE-2025-2888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →