Top Data Anonymization Tools of 2025 to protect sensitive information, ensure compliance, and maintain performance across industries.

Data protection is of the highest importance in 2025. With growing numbers of organizations handling sensitive customer data and stricter data protection regulations emerging around the world, organizations need strong tools for information protection. That’s where data anonymization enters the picture; it covers up or replaces personal data, and even if data leaks, it’s meaningless for hackers.

But not all anonymization software are created equally. Some are fast, some are secure, and some are just user-friendly. Let’s review the best data anonymization software of 2025 below.

****K2view****

If you’re looking for a top-of-the-line anonymization solution, the number one on your list should be K2view. K2view, being one of the best data anonymization tools, doesn’t just scramble data; it restructures data such that it can still be useful for testing and analytics purposes, with total privacy.  

K2view does this by creating “micro-databases” for each record, keeping each customer’s data apart and secure. It doesn’t just encrypt or mask data but also anonymizes it on the fly based on who is viewing it. That leaves developers with realistic test data, analysts with actionable insights, and no one with access to real sensitive data unless they need it.

Speed is also a perk. Unlike other software that slows down systems, K2view is optimized for handling vast databases with no lag. If you’re part of the finance, healthcare, or retail sector, this tool keeps your data secure with no slowing down.

****Privitar****

If your organization is dealing with a number of privacy laws like GDPR, CCPA, or HIPAA, then Privitar is a great choice. Privitar is centered around policy-based anonymization, which is the ability for you to define rules for data anonymization depending on the type of data and the laws involved.

Privitar is special because it can preserve data utility and still make the data private. If, for example, you’re dealing with medical records, it can anonymize the names and addresses of the patients but preserve the important trends for research.

And the best part? It supports the big cloud platforms such as AWS, Azure, and Google Cloud, making it convenient for any size of organization, be it a start-up or a large-scale organization.

****ARX****

Not all companies have a large budget for data privacy software, and that is precisely why ARX fills the gap. ARX is a free, open-source anonymization software that is no less effective when it comes to capabilities.

ARX offers a number of anonymization options, including generalization, suppression, and differential privacy. You can control the quantity of information deleted from the data, making it suitable for data sharing or research purposes without violating the law.

The catch is, it’s not as user-friendly and refined as some of the paid options. But if your team is technologically savvy and can work with a bit of learning curve, ARX is a wonderful free solution for anonymizing data without the cost.

****DataVeil****

If you’re seeking a tool with sole function for anonymization, DataVeil is one that is definitely worth looking at. DataVeil differs from other platforms which integrate anonymization with other data security features because it is specifically intended for masking and obfuscation.

One of its most significant strengths is real-time masking, which can anonymize data as it is being used. This is most suitable for organizations that make use of live databases but still need to protect sensitive information. It supports a number of databases like SQL Server and Oracle, and is thus appropriate for organizations with big data.

The only catch? It’s a bit specialized, and that means if you’re looking for a tool with broader data security features, then you might be required to integrate it with other tools.

****Anonos****

Everything is touched by AI in 2025, data privacy is no exception. Anonos is a game-changing solution that uses AI-driven anonymization for context-dependent protection of data.

For example, if a store would like to analyze customer buying habits without exposing real customer data, Anonos can anonymize the data for each team differently, such that marketing teams can view the patterns and IT teams can view the technical data—without exposing sensitive customer data.

It also possesses the feature of generating synthetic data, i.e., generating fake data sets that behave like real ones, making it suitable for training AI and data science without the fear of data breaches.

****Tonic.ai****

If you’re a software developer, then Tonic.ai is a saviour. The software is meant for creating realistic test data without the use of real personal data.

Developers need test data that mirrors real customer data, but real data is a privacy nightmare. Tonic.ai solves this problem by generating fake, though incredibly accurate, datasets that reflect the structure of real ones. Developers can then test apps without exposing anyone’s personal information.

It is integrated with popular databases and development tools seamlessly, thus being the best solution for software development teams that want to focus on software development rather than being distracted by compliance.

****Which Is the Right Choice for You?****

The anonymization tool of your choice will be determined by what you’re seeking. If a high-performance enterprise solution is what you’re seeking, then choose K2View. If compliance is most important, choose Privitar. If budget is the limiting factor, then ARX is the best free solution. If real-time masking is the answer for you, then DataVeil is the best, with the addition of AI from Anonos. If you’re a developer, then the answer is Tonic.ai.

As data privacy becomes even more critical in 2025, the decision of which anonymization tool is not just a smart one, it’s a necessity.

Image by Stephan Marquardt from Pixabay.

Best Data Anonymization Tools in 2025

On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks.
The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox

Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Intimate images from kink and LGBTQ+ dating apps left exposed online 

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS). This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-36vv-q5jv-94cj: Drupal Google Tag Cross-Site Scripting (XSS) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Google Tag allows Cross Site Request Forgery. This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

GHSA-qchr-8m24-7v66: Drupal Google Tag Cross-Site Request Forgery (CSRF)

A list of topics we covered in the week of March 24 to March 30 of 2025

March 31, 2025 - The internet is so filled with falsehoods that April Fools hits different these days. That's why, as a cybersecurity company, we're out.

March 27, 2025 - A man didn't just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

March 27, 2025 - Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

March 26, 2025 - Fake Booking.com emails sent to hotels lead to fake CAPTCHA sites that trick the staff into infecting their own systems.

March 26, 2025 - With its growing popularity, sponsored Google search ads have started impersonating DeepSeek AI.

 A week in security (March 24 &#8211; March 30) 

The internet is filled with falsehoods.  We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or...

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

****How to protect yourself from scams** **

*   **Watch out for a false sense of urgency.** Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

*   **Is it too good to be true?** Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, **too good to be true** and should be avoided at all costs. 

*   **Have a family code word**. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

*   **Check via another way**. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

*   **Use a different password for every account**. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

*   **Set up multi-factor authentication** on every account you can. It’s not foolproof, but it does make it considerably harder for scammers.

 Why we’re no longer doing April Fools’ Day  

Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.

After senior Trump administration members mistakenly included The Atlantic editor Jeffrey Goldberg in a secret group chat about bombing Houthi targets in Yemen, encrypted messaging app Signal found itself at the center of a storm this week. Some commentators criticized the app, going as far to blame it for the scandal.

But the whole affair that’s dubiously been dubbed “SignalGate” isn’t about Signal at all: Experts say officials shouldn’t invite untrusted contacts into sensitive chats and should only use authorized devices, platforms, and procedures when discussing top-secret military operations. In other words, the people who set up the chat made numerous mistakes, and they had nothing to do with how secure Signal is. In fact, Signal has seen its biggest-ever spike in US downloads as a result of the news.

In other news linked to _that_ Houthi group chat, national security adviser Mike Waltz—an account with the name “Michael Waltz” originally invited Goldberg to the group—left his Venmo account open to public view. As WIRED reported, a “Michael Waltz” Venmo account displayed the names of the adviser’s colleagues and friends, revealing people in Waltz’s wider social network. After WIRED reached out to the White House, the Waltz account hid its friends list. There’s more though: WIRED also discovered other Venmo accounts linked to officials in the Signal chat. Information about who officials associate with could be highly lucrative for foreign spies and hackers.

Elsewhere, we reported on all the ways the White House adopting Elon Musk’s Starlink as an alternative Wi-Fi network could be bad news for network security. There are also early signs in Europe that some companies are going cold on cloud services from Google, Amazon, and Microsoft, as they reassess the risks of dealing with the volatile second Trump administration. And, as crossing the United States border becomes more perilous—for both citizens and visa holders—we updated our guide to keeping your digital privacy intact when you are entering the US.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**Top US Security Officials’ Passwords and Personal Phone Numbers Discovered Online**

On top of SignalGate and Venmo accounts being left exposed, German news outlet Der Spiegel reported that sensitive personal information linked to several senior Trump administration security officials is easily discoverable online. Reporters from the publication found that mobile phone numbers, email addresses, and “some” passwords for top officials could be found on the internet.

Using people-search engines and information contained in public data breaches, Der Spiegel discovered personal information belonging to Waltz, director of national intelligence Tulsi Gabbard, and Pete Hegseth, the secretary of defense. “Most of these numbers and email addresses are apparently still in use, with some of them linked to profiles on social media platforms like Instagram and LinkedIn,” the news organization reported. The details were also linked to Dropbox, Microsoft Teams, Signal, and WhatsApp accounts used by the officials.

While millions of people have been caught up in online data breaches and use inadequate privacy settings on their online accounts, high-level government security officials are exposed to a broader and more severe range of online threats, particularly from nation-state hackers, than most people. Officials told the news organization that many of the accounts and personal details were no longer used or had been updated. However, messages Der Spiegel sent to WhatsApp and Signal accounts belonging to Waltz and Gabbard were delivered, the publication reported. Only after they approached the government for comment were some of the accounts restricted.

**Internet Restrictions May Hide Initial Toll of Myanmar Earthquake Damage**

On Friday, a huge 7.7-magnitude earthquake and aftershock hit Myanmar, with widespread damage being reported hundreds of miles away in Thailand. At the time of writing, at least 144 people have been confirmed dead with hundreds of others injured in Myanmar. As the first impacts of the devastating quake started to emerge, The New York Times reported that long-standing and widespread internet restrictions in worn-torn Myanmar were likely making it harder for news of the damage to be understood. Since the country’s military junta took power in 2021, connectivity within Myanmar has been widely disrupted or blocked. For instance in 2023, 13 out of Myanmar’s 14 states faced internet disruptions.

In the wake of the earthquake, more video footage and news could be seen immediately emerging from neighbouring Thailand, experts told the Times. “Compare the coverage of the earthquake in Thailand, where tremors and damage have been extensively reported, posted and documented, to Myanmar, where we still don’t have a clear picture of the extent of the damage and loss and may not for some time,” Joe Freeman from Amnesty International said. The lack of connectivity may also make the recovery and humanitarian efforts harder to coordinate, once again highlighting the vital need for people to have reliable and open access to the internet.

**Alleged Snowflake Hacker Connor Moucka Agrees to US Extradition**

Last summer’s Snowflake hacking spree, where customers of the cloud storage company had their accounts targeted, was likely one of the largest mass data exfiltrations that’s publicly known. Toward the end of 2024, Canadian authorities arrested Alexander “Connor” Moucka, 26, who allegedly used online handles such as “Waifu” and “Judische,” in connection to the hacking activity. This week, Moucka consented to be extradited to the United States to face the alleged charges. According to Cyberscoop, Moucka faces 20 federal charges, including those linked to computer fraud, wire fraud, and aggravated identity theft. Moucka is not the only person allegedly behind the Snowflake hacking, with John Binns and Cameron Wagenius being named in indictments. It is unclear when Moucka’s extradition will take place.

**London Is Getting Its First Permanent Face Recognition Cameras**

Police forces across the UK have massively increased their use of live face recognition cameras in recent years. Use of the controversial technology has historically been temporary: mounting cameras on top of police vehicles and deploying them for specific events and set periods of time. That’s now set to change with the first permanent face recognition cameras being rolled out in London. The city’s Metropolitan Police are in the process of installing fixed cameras in Croydon, in the south of the city.

“This will mean our use of LFR technology will be far more embedded as a ‘business as usual’ approach rather than relying on the availability of the LFR vans that are in high demand across London,” a police official wrote in a letter seen by The Times of London. Reportedly, the cameras will not be used continuously, only when officers are nearby to monitor potential alerts. However, privacy campaigners fear the move could be further rolled out across the city, leading to a network of permanent face recognition cameras unlike those seen in any other democratic countries.

Top Trump Officials’ Passwords and Personal Phone Numbers Discovered Online

Palo Alto, USA, 29th March 2025, CyberNewsWire

**Palo Alto, USA, March 28th, 2025, CyberNewsWire**

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack.

Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment. Traditionally, the primary target of ransomware has been the victim’s device. However, thanks to the proliferation of the cloud and SaaS services, the device no longer holds the keys to the kingdom. Instead, the browser has become the primary way through which employees conduct work and interact with the internet. In other words, the browser is becoming the new endpoint.

SquareX has been disclosing major browser vulnerabilities like Polymorphic Extensions and Browser Syncjacking, and is now issuing a strong warning on the emergence of browser-native ransomware. 

> SquareX’s founder, Vivek Ramachandran cautions, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together. While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”

Unlike traditional ransomware, browser-native ransomware requires no file download, rendering them completely undetectable by endpoint security solutions. Rather, this attack targets the victim’s digital identity, taking advantage of the widespread shift toward cloud-based enterprise storage and the fact that browser-based authentication is the primary gateway to accessing these resources. In the case studies demonstrated by SquareX, these attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.

One potential scenario involves social engineering a user into granting a fake productivity tool access to their email, through which it can identify all the SaaS applications the victim is registered with. It can then systematically reset the password of these apps with AI agents, logging the users out on their own and holding enterprise data stored on these applications hostage. 

Similarly, the attacker can also target file-sharing services like Google Drive, Dropbox and OneDrive, using the victim’s identity to copy out and delete all files stored under their account. Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise-wide resources.

As fewer and fewer files are being downloaded, it is inevitable for attackers to follow where work and valuable data are being created and stored. As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of client-side application layer identity attacks will become essential in combating the next generation of ransomware attacks.

To learn more about this security research, users can visit https://sqrx.com/browser-native-ransomware

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) solution helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time. In addition to browser ransomware, SquareX also protects against various browser threats including identity attacks, malicious extensions, advanced spearphishing, GenAI DLP, and insider threats.

The browser-native ransomware disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking and Polymorphic Extensions. 

To learn more about SquareX’s BDR, users can contact \[email protected\].

For press inquiries on this disclosure or the Year of Browser Bugs, users can email \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

## Summary

In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated roles. When searching for metadata about a given target, tough failed to detect cyclical role delegations.

## Impact

When interacting with TUF repositories which contain cyclical role delegations, tough will fail to detect the cycles and will exhaust its stack while recursively searching the delegation graph. The exhausted call stack will cause the process to abort.

Impacted versions: < v0.20.0

## Patches

A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

## Workarounds

There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.

## References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.


[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

## Acknowledgement

We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

**Summary**

In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated roles. When searching for metadata about a given target, tough failed to detect cyclical role delegations.

**Impact**

When interacting with TUF repositories which contain cyclical role delegations, tough will fail to detect the cycles and will exhaust its stack while recursively searching the delegation graph. The exhausted call stack will cause the process to abort.

Impacted versions: < v0.20.0

**Patches**

A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

**Workarounds**

There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.

**References**

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page \[1\] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

\[1\] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

**Acknowledgement**

We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

**References**

*   GHSA-j8x2-777p-23fc
*   awslabs/tough@c5ee171
*   https://aws.amazon.com/security/security-bulletins/AWS-2025-007

Tag

#google