CVE-2025-2886: tough terminating targets role delegations are not respected
(updated )
Delegations are a mechanism defined by the TUF specification that allow multiple different identities to provide and sign content within a single repository. Terminating delegations and delegation priority give a TUF repository unambiguous control over how overlapping delegations are resolved. tough erroneously will not terminate a search as required, and will accept information from a lower-priority delegation that should have been ignored.
References
- aws.amazon.com/security/security-bulletins/AWS-2025-007
- github.com/advisories/GHSA-v4wr-j3w6-mxqc
- github.com/awslabs/tough
- github.com/awslabs/tough/commit/598111f88105a707ee68b0fa06c52da7176ea96a
- github.com/awslabs/tough/releases/tag/tough-v0.20.0
- github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc
- nvd.nist.gov/vuln/detail/CVE-2025-2886
Code Behaviors & Features
Detect and mitigate CVE-2025-2886 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →