The Update Framework (TUF) is a software framework designed to protect mechanisms that automatically identify and download updates to software. The tough library is a Rust client for TUF repositories. AWS has identified several issues in tough versions prior to 0.20.0, which have been fixed in the latest release. The issues include missing validation of the root metadata version number, incorrect signature verification, caching of timestamp metadata despite rejection, and incomplete rollback detection. These issues are tracked under CVE-2025-2885, CVE-2025-2886, CVE-2025-2888, and CVE-2025-2887. The affected versions are those prior to 0.20.0. To resolve these issues, users are recommended to upgrade to tough version 0.20.0 or later. Patches for these issues are included in the latest release. AWS thanks Google for collaborating on this issue through the coordinated vulnerability disclosure process. Users with security questions or concerns can email [email protected].