CVE-2022-29173
CVE-2022-29173 is a high-severity vulnerability in Theupdateframework Go-tuf with a CVSS 3.x base score of 8.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-354.
Key facts
- Severity: High (CVSS 3.x base score 8.0)
- CVSS v2: 4.3
- EPSS exploit prediction: 1% (41st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-354
- Affected product: Theupdateframework Go-tuf
- Published:
- Last modified:
Description
go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to install software that is older than the software which the client previously knew to be available, and may include software with known vulnerabilities. In more detail, the client code of go-tuf has several issues in regards to preventing rollback attacks: 1. It does not take into account the content of any previously trusted metadata, if available, before proceeding with updating roles other than the root role (i.e., steps 5.4.3.1 and 5.5.5 of the detailed client workflow). This means that any form of version verification done on the newly-downloaded metadata is made using the default value of zero, which always passes. 2. For both timestamp and snapshot roles, go-tuf saves these metadata files as trusted before verifying if the version of the metafiles they refer to is correct (i.e., steps 5.5.4 and 5.6.4 of the detailed client workflow). A fix is available in version 0.3.0 or newer. No workarounds are known for this issue apart from upgrading.
Frequently asked questions
- What is CVE-2022-29173?
- go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to install software that is older than the software which the client previously knew to be available, and may include software with known vulnerabilities. In more detail, the client code of go-tuf has several issues in regards to preventing rollback attacks: 1. It does not take into account the content of any previously trusted metadata, if available, before proceeding with updating roles other than the root role (i.e., steps 5.4.3.1 and 5.5.5 of the detailed client workflow). This means that any form of version verification done on the newly-downloaded metadata is made using the default value of zero, which always passes. 2. For both timestamp and snapshot roles, go-tuf saves these metadata files as trusted before verifying if the version of the metafiles they refer to is correct (i.e., steps 5.5.4 and 5.6.4 of the detailed client workflow). A fix is available in version 0.3.0 or newer. No workarounds are known for this issue apart from upgrading.
- How severe is CVE-2022-29173?
- CVE-2022-29173 has a CVSS 3.x base score of 8.0, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-29173 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (41st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-29173?
- CVE-2022-29173 affects Theupdateframework Go-tuf. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-29173?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-29173 published?
- CVE-2022-29173 was published on 2022-05-05 and last updated on 2026-06-17.
References
- https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d
- https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-66x3-6cw3-v5gj
Affected products (1)
- cpe:2.3:a:theupdateframework:go-tuf:0.2.0:*:*:*:*:*:*:*
More vulnerabilities in Theupdateframework Go-tuf
- CVE-2026-23992 — Medium (CVSS 5.9): go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a…
- CVE-2026-23991 — Medium (CVSS 5.9): go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if…
- CVE-2026-24686 — Medium (CVSS 4.7): go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file…
All CVEs affecting Theupdateframework Go-tuf →
Other CWE-354 vulnerabilities
- CVE-2025-11543 — Critical (CVSS 9.8): Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may…
- CVE-2024-25678 — Critical (CVSS 9.8): In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.
- CVE-2023-33668 — Critical (CVSS 9.8): DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover…
- CVE-2017-15994 — Critical (CVSS 9.8): rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to…
- CVE-2026-49230 — Critical (CVSS 9.1): Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default…
- CVE-2026-34182 — Critical (CVSS 9.1): Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the…