What is CVE-2025-2886?

CVE-2025-2886 is a vulnerability in Aws Tough, classified under Always-Incorrect Control Flow Implementation. Published 2025-03-27.

Is CVE-2025-2886 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Aws Tough

CVE-2025-2886

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, alteri…

EPSS: 0.003 (49.1th percentile) — read the EPSS interpretation.

Affected products

Aws Tough — versions 0.1.0

Weakness classification (CWE)

CWE-670 — Always-Incorrect Control Flow Implementation

Public proof-of-concept exploits

References

github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc (vendor-advisory)
aws.amazon.com/security/security-bulletins/AWS-2025-007/ (vendor-advisory)
github.com/awslabs/tough/releases/tag/tough-v0.20.0 (patch)

Frequently asked questions

What is CVE-2025-2886?: CVE-2025-2886 is a vulnerability in Aws Tough, classified under Always-Incorrect Control Flow Implementation. Published 2025-03-27.
Is CVE-2025-2886 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.