CVE-2021-41149

HIGH8.2EPSS 0.85%

Improper sanitization of target names

Published: 10/19/2021Modified: 3/13/2026

Description

### Impact The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. AWS would like to thank https://github.com/jku for reporting this issue. ### Patches A fix is available in version 0.12.0. ### Workarounds No workarounds to this issue are known.

Affected packages (1)

crates.io/toughfrom 0, < 0.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41149
PATCHhttps://github.com/awslabs/tough
WEBhttps://github.com/awslabs/tough/commit/1809b9bd1106d78a51fbea3071aa97a3530bac9a
WEBhttps://github.com/awslabs/tough/security/advisories/GHSA-x3r5-q6mj-m485