What is CVE-2025-2888?

CVE-2025-2888 is a vulnerability in Aws Tough, classified under CWE-1025. Published 2025-03-27.

Is CVE-2025-2888 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Aws Tough

CVE-2025-2888

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the ca…

EPSS: 0.003 (49.1th percentile) — read the EPSS interpretation.

Affected products

Aws Tough — versions 0.1.0

Weakness classification (CWE)

CWE-1025

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds
murataydemir/AWS-Tough-Library-Multiple-CVEs

References

github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4 (vendor-advisory)
aws.amazon.com/security/security-bulletins/AWS-2025-007/ (vendor-advisory)
github.com/awslabs/tough/releases/tag/tough-v0.20.0 (patch)

Frequently asked questions

What is CVE-2025-2888?: CVE-2025-2888 is a vulnerability in Aws Tough, classified under CWE-1025. Published 2025-03-27.
Is CVE-2025-2888 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.