Primary

Context

awslabs Tough Library and Tuftool CLI Utility Signature Bypass Vulnerability

Vulnerability

A vulnerability in the awslabs Tough library and its command-line utility, Tuftool, prior to versions 0.22.0 and 0.15.0 respectively, allows remote authenticated users to bypass the TUF signature threshold requirement. This is achieved by duplicating a valid cryptographic signature, which can then be used to forge delegated role metadata. The issue arises from improper verification of signature uniqueness in delegated role validation.

Impact

Exploitation of this vulnerability allows for the forgery of delegated role metadata, potentially leading to unauthorized changes in a TUF repository.

Remediation

Users are advised to upgrade to Tough version 0.22.0 or later and Tuftool version 0.15.0 or later. Instructions for upgrading are available in the Tough and Tuftool GitHub repositories.

Added: Apr 24, 2026, 8:43 PM

Updated: Apr 24, 2026, 8:43 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

awslabs Tough Library and Tuftool CLI Utility Signature Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating