Data quality issue with CVE-2025-62408 #4569
Description
CVE-2025-62408: OSV affected versions include non-existent and foreign tags (curl-*, c-ares-1_17_0)
The OSV record for CVE-2025-62408 lists affected “versions” that do not appear in any authoritative upstream source and appear to be derived from Git tag enumeration rather than actual released versions.
Examples currently shown in OSV include:
- c-ares-1_17_0
- v1.31.0
- curl-7_10_8
These identifiers:
- Are not mentioned in the CVE record
- Are not mentioned in the GitHub Security Advisory
- Are not mentioned in NVD
- Do not correspond to the affected version range defined by the maintainer
Authoritative sources consistently define the affected versions as c-ares 1.32.3 through 1.34.5, with 1.34.6 as the fixed release.
This suggests the OSV affected versions are being derived from unbounded Git history/tag enumeration (e.g., introduced: "0"), resulting in misleading and foreign tag names being surfaced as affected versions.
Suggested changes to record
One or more of the following adjustments would resolve the issue:
- Constrain the affected version range to the maintainer-defined semver range (1.32.3–1.34.5)
- Avoid enumerating Git tags as affected “versions” when introduced: "0" is used
- Filter out foreign or non-release tag namespaces (e.g., curl-*) when deriving affected versions
- Prefer upstream advisory version ranges over derived Git tag lists when available
Any of the above would prevent non-existent or misleading versions from being presented to consumers.
Additional context
Official CVE JSON (CVEProject – authoritative source)
https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/62xxx/CVE-2025-62408.json
GitHub Security Advisory (maintainer-defined affected versions)
https://github.com/advisories/GHSA-9p46-rw79-6j25
(Affected: 1.32.3–1.34.5, Fixed: 1.34.6)
NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2025-62408
These sources are consistent with each other and do not reference the versions currently displayed in OSV.