osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Data quality issue with CVE-2025-22233

Open blablacar12345 opened this issue 7 months ago • 2 comments

CVE-2025-22233 There is no description that the Spring Framework is also vulnerable due to this CVE: 6.2.0 - 6.2.6 6.1.0 - 6.1.19 6.0.0 - 6.0.27 5.3.0 - 5.3.42.

This information is listed on the official spring (https://spring.io/security/cve-2025-22233) and NVD websites. It is necessary to add information about the vulnerability of this product. If I understand correctly, then all spring framework products (for example, spring context) are vulnerable to this vulnerability.

blablacar12345 avatar May 28 '25 11:05 blablacar12345

:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:

Please review our FAQ entry on how to most efficiently have this addressed.

github-actions[bot] avatar May 28 '25 11:05 github-actions[bot]

Hi @blablacar12345! Thanks for bring this up!

There's a couple of parts to this so bear with me!

  1. We don't currently import data directly from the Spring database, but if you are willing to convince them to publish their advisories to the OSV format, we would be happy to ingest them!
  2. While this record does exist on NVD:
    • It is still awaiting analysis
    • The description is generally a mess, so while our parser does a best-effort job of reading the description, it likely would not be able to pick these up appropriately.
    • There's no CPE string or external references/links - we currently rely on CPE strings to give us valuable information about the product and versions affected, without these, we aren't able to make a record to say what is actually affected (programatically speaking). The lack of CPE string is likely related to that it is still awaiting analysis by the NVD.
  3. While we are looking at introducing ingestion via the CVEList as well, looking at the CVE on the CVEList: it is also not at a quality that would be able to be easily parsed currently but we might be able to eventually use some magic (and other datafeeds) to try extract the package information to make this viable.

While we are looking at possible ways to generally deal with parsing lower quality vuln entries, for now we can't really do much about this.

Let me know if you have any questions or suggestions!

jess-lowe avatar May 30 '25 00:05 jess-lowe

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Jul 29 '25 01:07 github-actions[bot]

Automatically closing stale issue

github-actions[bot] avatar Aug 12 '25 02:08 github-actions[bot]