CVE-2025-2885

Name of the Vulnerable Software and Affected Versions tough versions prior to 0.20.0

Description The issue arises from missing validation of the root metadata version number, allowing an actor to supply an arbitrary version number to the client. This could lead to the client trusting an outdated or rotated root role, potentially trusting content associated with a previous root role. Users should upgrade to a version that incorporates the new fixes to prevent this issue.

Recommendations For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.