Home > Vulnerability Database > CVE-2025-2886

Mend.io Vulnerability Database

CVE-2025-2886

Good to know:

Date: March 27, 2025

Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Severity Score

4.5

Related Resources (8)

Url: https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc

Url: https://github.com/awslabs/tough/commit/598111f88105a707ee68b0fa06c52da7176ea96a

Url: https://github.com/awslabs/tough/releases/tag/tough-v0.20.0

Url: https://aws.amazon.com/security/security-bulletins/AWS-2025-007

Url: https://aws.amazon.com/security/security-bulletins/AWS-2025-007/

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-2886

Url: https://github.com/awslabs/tough

Url: https://www.mend.io/vulnerability-database/CVE-2025-2886

Severity Score

4.5

Weakness Type (CWE)

Always-Incorrect Control Flow Implementation

CWE-670

Top Fix

Upgrade Version

Upgrade to version tough - 0.20.0

Learn More

CVSS v3.1

Base Score:	4.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-2886

Good to know:

Date: March 27, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?