CVE-2025-2886

Name of the Vulnerable Software and Affected Versions tough versions prior to 0.20.0

Description The issue arises from missing validation of terminating delegation, causing the client to continue searching the defined delegation list even after encountering a terminating delegation. This could lead to the client fetching a target from an incorrect source, altering the target contents. Delegations are a mechanism that allows multiple identities to provide and sign content within a single repository, with terminating delegations and delegation priority giving unambiguous control over how overlapping delegations are resolved. However, the tough client erroneously does not terminate the search as required and accepts information from a lower-priority delegation that should have been ignored. When interacting with repositories that use delegations, the tough client could fetch targets owned by the incorrect role, allowing an actor with delegated ownership to provide arbitrary contents.

Recommendations For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.