advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard

Published 20 hours ago verified publisher icon github

False Positive: CWE-506 Flag on Project Packages

Open Sina-KH opened this issue 6 months ago • 1 comments
trafficstars

Hello,

We’ve noticed that three of our project libraries have been flagged under CWE-506: Embedded Malicious Code in the GitHub security advisories. After reviewing the codebase and package history, we believe this is a false positive.

There is no obfuscation, suspicious behavior, or embedded malicious code present in these packages. We suspect this flag may have been triggered erroneously—possibly due to a misinterpretation of certain implementation patterns or dependencies.

Reports:

https://github.com/advisories/GHSA-ccc7-4x7f-rx8r https://github.com/advisories/GHSA-59c9-98cx-68fw https://github.com/advisories/GHSA-xw5j-qjmv-9fjx

We kindly request a review of these advisories, and we’re happy to provide any clarifications or code details needed to assist in resolving this matter.

Thanks in advance for your attention and support!

Sina-KH avatar Apr 23 '25 22:04 Sina-KH