Data quality: CVE->OSV conversion drops affected React/Next.js ranges for CVE-2025-67779, CVE-2025-55184, CVE-2025-55183, CVE-2025-55182 (OSV incomplete vs NVD)

[fingeromer]

These CVEs' affected packages/versions are substantially incomplete compared to NVD’s “Known Affected Software Configurations (CPE)” ranges for the same CVEs.

Impact:
Downstream consumers relying on OSV affected ranges may miss vulnerable Next.js 15.x/16.x and/or React versions.

Affected OSV pages:

• https://osv.dev/vulnerability/CVE-2025-67779
• https://osv.dev/vulnerability/CVE-2025-55184
• https://osv.dev/vulnerability/CVE-2025-55183
• https://osv.dev/vulnerability/CVE-2025-55182

Evidence / diffs (OSV vs NVD):

1) CVE-2025-67779
OSV:

• Only lists Git / github.com/vercel/next.js and only enumerates Next.js tags in the 13.x/14.x series (no 15.x/16.x).

NVD change record:

• Includes facebook:react 19.0.2, 19.1.3, 19.2.2
• Includes vercel:next.js affected ranges:
  • >=13.3.0 <14.2.35
  • multiple 15.x ranges (15.0.0<15.0.7, 15.1.0<15.1.11, 15.2.0<15.2.8, 15.3.0<15.3.8, 15.4.0<15.4.10, 15.5.0<15.5.9)
  • >=16.0.0 <16.0.10
    NVD link (change record):
• https://nvd.nist.gov/vuln/detail/CVE-2025-67779/change-record?changeRecordedOn=12%2F12%2F2025T13%3A20%3A19.773-0500

2) CVE-2025-55184
OSV:

• Lists Git / github.com/facebook/react and Git / github.com/vercel/next.js, but Next.js tag enumeration appears limited to 13.x/14.x only.

NVD change record:

• React affected ranges: >=19.0.0<19.0.2, >=19.1.0<19.1.3, >=19.2.0<19.2.2
• Next.js affected ranges include >=13.3.0<14.2.35 AND multiple 15.x ranges AND >=16.0.0<16.0.10
  NVD link (change record):
• https://nvd.nist.gov/vuln/detail/CVE-2025-55184/change-record?changeRecordedOn=12%2F12%2F2025T13%3A18%3A29.827-0500

3) CVE-2025-55183
OSV:

• Next.js tag enumeration only shows 15.0.0–15.0.6 (missing 15.1+ and 16.x).

NVD change record:

• React affected ranges: >=19.0.0<19.0.2, >=19.1.0<19.1.3, >=19.2.0<19.2.2
• Next.js affected ranges include multiple 15.x ranges and >=16.0.0<16.0.10
  NVD link (change record):
• https://nvd.nist.gov/vuln/detail/CVE-2025-55183/change-record?changeRecordedOn=12%2F12%2F2025T13%3A18%3A19.950-0500

4) CVE-2025-55182
OSV:

• Only lists Git / github.com/vercel/next.js and only enumerates 15.0.0–15.0.4 (no React entry, missing later 15.x and 16.x).

NVD change record:

• Includes facebook:react 19.0.0, 19.1.0, 19.1.1, 19.2.0
• Includes vercel:next.js affected ranges:
  • >=15.0.0<15.0.5, >=15.1.0<15.1.9, >=15.2.0<15.2.6, >=15.3.0<15.3.6, >=15.4.0<15.4.8, >=15.5.0<15.5.7
  • >=16.0.0<16.0.7
  • plus additional explicit canary CPE entries shown in the same config blob
    NVD link (change record):
• https://nvd.nist.gov/vuln/detail/CVE-2025-55182/change-record?changeRecordedOn=12%2F05%2F2025T12%3A44%3A58.770-0500

Request:
Please update the CVE->OSV enrichment so that OSV records preserve the full set of affected ranges and packages from NVD’s CPE configurations for these CVEs.

If the intended behavior is to convert CPE ranges to OSV affected ranges, ideally the OSV records should include:

• Next.js semver ranges covering 15.x/16.x where NVD indicates them (not just 13/14 or 15.0.x).
• React affected versions/ranges where NVD indicates facebook:react CPEs.
  Optionally (but would be more actionable): map to npm ecosystems (next, react, and/or the react-server-dom-* packages referenced in the CVE descriptions), but at minimum please avoid dropping the version coverage present in NVD.

Thanks!