Moderate severityNVD Advisory· Published Mar 27, 2025· Updated Oct 14, 2025
Improper timestamp caching during snapshot rollback in tough
CVE-2025-2888
Description
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
toughcrates.io | < 0.20.0 | 0.20.0 |
Affected products
2- AWS/toughv5Range: 0.1.0
Patches
Vulnerability mechanics
References
7- github.com/awslabs/tough/releases/tag/tough-v0.20.0ghsapatchWEB
- aws.amazon.com/security/security-bulletins/AWS-2025-007/mitrevendor-advisory
- github.com/advisories/GHSA-76g3-38jv-wxh4ghsaADVISORY
- github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-2888ghsaADVISORY
- aws.amazon.com/security/security-bulletins/AWS-2025-007ghsaWEB
- github.com/awslabs/tough/commit/9b400e1c8b7d6b9ab8009104fa7fe5884db05f18ghsaWEB
News mentions
0No linked articles in our index yet.