CVE-2025-2888: 
Rust vulnerability analysis and mitigation

CVE-2025-2888 is a vulnerability discovered in tough, a Rust client library for The Update Framework (TUF) repositories, affecting versions prior to 0.20.0. The vulnerability was disclosed on March 27, 2025, and involves incorrect caching of timestamp metadata during snapshot rollback operations (AWS Security Bulletin, NVD).

During a snapshot rollback, the client incorrectly caches the timestamp metadata despite it being correctly rejected when a rollback is detected. The vulnerability has been assigned a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N. The issue is classified under CWE-1025 (Comparison Using Wrong Factors) (NVD, GitHub Advisory).

If the tough client successfully detects a rollback event in which timestamp metadata contains outdated snapshot metadata, the invalid timestamp metadata will still be persisted to cache as trusted. This can cause tough to subsequently fail to consume valid updates, as it may incorrectly identify valid timestamp metadata as being rolled back (GitHub Advisory).

The vulnerability has been patched in tough version 0.20.0. Users are strongly advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. No alternative workarounds are recommended (AWS Security Bulletin, GitHub Advisory).

The vulnerability was identified by the TUF-Conformance project, with Google collaborating on the issue through the coordinated vulnerability disclosure process (GitHub Advisory).