What is CVE-2025-2885?

CVE-2025-2885 is a vulnerability in Aws Tough, classified under CWE-1288. Published 2025-03-27.

Is CVE-2025-2885 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Aws Tough

CVE-2025-2885

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users s…

EPSS: 0.003 (49.1th percentile) — read the EPSS interpretation.

Affected products

Aws Tough — versions 0.1.0

Weakness classification (CWE)

CWE-1288

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds
murataydemir/AWS-Tough-Library-Multiple-CVEs

References

github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47 (vendor-advisory)
aws.amazon.com/security/security-bulletins/AWS-2025-007/ (vendor-advisory)
github.com/awslabs/tough/releases/tag/tough-v0.20.0 (patch)

Frequently asked questions

What is CVE-2025-2885?: CVE-2025-2885 is a vulnerability in Aws Tough, classified under CWE-1288. Published 2025-03-27.
Is CVE-2025-2885 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.