VYPR

Go Tuf

by Theupdateframework

Source repositories

CVEs (6)

  • CVE-2020-15163HigSep 9, 2020
    risk 0.50cvss 8.7epss 0.01

    Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata…

  • CVE-2024-47534HigOct 1, 2024
    risk 0.46cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C"…

  • CVE-2022-29173HigMay 5, 2022
    risk 0.45cvss 8.0epss 0.01

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker…

  • CVE-2026-24686Jan 27, 2026
    risk 0.00cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version…

  • CVE-2026-23992Jan 22, 2026
    risk 0.00cvss epss 0.00

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification.…

  • CVE-2026-23991Jan 22, 2026
    risk 0.00cvss epss 0.01

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,…