CVE-2025-2887

Name of the Vulnerable Software and Affected Versions tough versions prior to 0.20.0

Description The issue arises during a target rollback when the client fails to detect the rollback for delegated targets, potentially causing it to fetch a target from an incorrect source and alter the target contents. This could lead to the client trusting and downloading outdated targets that it should reject.

Recommendations For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.