CVE-2025-2886

Terminating targets role delegations are not respected in tough

CVSS 5.7 MEDIUMEPSS 0.3%CWE-670

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

27 Mar 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

AWS · tough

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://aws.amazon.com/security/security-bulletins/AWS-2025-007/https://github.com/awslabs/tough/releases/tag/tough-v0.20.0 https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc