CVE-2025-2888

Name of the Vulnerable Software and Affected Versions tough versions prior to 0.20.0

Description The issue arises during a snapshot rollback when the client incorrectly caches the timestamp metadata. This leads to a failure in update timestamp validation, preventing further updates until the cache is cleared. The problem occurs because the client will persist invalid timestamp metadata to its cache, which may then cause it to incorrectly identify valid timestamp metadata as being rolled back. This prevents the client from consuming valid updates.

Recommendations For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.