What is CVE-2025-2887?

CVE-2025-2887 is a vulnerability in Aws Tough, classified under CWE-1025. Published 2025-03-27.

Is CVE-2025-2887 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Aws Tough

CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or…

EPSS: 0.002 (48.0th percentile) — read the EPSS interpretation.

Affected products

Aws Tough — versions 0.1.0

Weakness classification (CWE)

CWE-1025

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds
murataydemir/AWS-Tough-Library-Multiple-CVEs

References

github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7 (vendor-advisory)
aws.amazon.com/security/security-bulletins/AWS-2025-007/ (vendor-advisory)
github.com/awslabs/tough/releases/tag/tough-v0.20.0 (patch)

Frequently asked questions

What is CVE-2025-2887?: CVE-2025-2887 is a vulnerability in Aws Tough, classified under CWE-1025. Published 2025-03-27.
Is CVE-2025-2887 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.