tough
crates.io9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting toughpage 1 of 1
- CVE-2020-15093HIGHCVSS 8.6EG 8.6✓ Fixed in 0.7.12020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of …
- CVE-2021-41149HIGHCVSS 8.2EG 8.2✓ Fixed in 0.12.02021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specif…
- CVE-2021-41150HIGHCVSS 8.2EG 8.2✓ Fixed in 0.12.02021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loadi…
- CVE-2025-2885MEDIUMCVSS 4.5EG 4.5✓ Fixed in 0.20.02025-03-27
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users s…
- CVE-2025-2886MEDIUMCVSS 4.5EG 4.5✓ Fixed in 0.20.02025-03-27
Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, alteri…
- CVE-2025-2887MEDIUMCVSS 4.5EG 4.5✓ Fixed in 0.20.02025-03-27
During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or …
- CVE-2025-2888MEDIUMCVSS 4.5EG 4.5✓ Fixed in 0.20.02025-03-27
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the ca…
- CVE-2026-6966MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.22.02026-04-24
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signa…
- CVE-2026-6967MEDIUMCVSS 5.9EG 5.9✓ Fixed in 0.22.02026-04-24
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for del…
Check whether tough is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for tough CVEs against the assets you own.
Start Free Scan →