GHSA-j8x2-777p-23fc: tough cyclic delegation graphs are not detected

March 28, 2025 (updated April 2, 2025)

In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated roles. When searching for metadata about a given target, tough failed to detect cyclical role delegations.

References

aws.amazon.com/security/security-bulletins/AWS-2025-007
github.com/advisories/GHSA-j8x2-777p-23fc
github.com/awslabs/tough
github.com/awslabs/tough/commit/c5ee1718e630fdedc5676bf71b5bef10e4c7f91c
github.com/awslabs/tough/security/advisories/GHSA-j8x2-777p-23fc

Code Behaviors & Features

Detect and mitigate GHSA-j8x2-777p-23fc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →