google
Data quality issue with CVE-2025-45582
The CVE ID: https://osv.dev/vulnerability/CVE-2025-45582
Describe the data quality issue observed: OSV.dev is showing this record as withdrawn, but neither NVD nor cve.org display any withdrawn information
Suggested changes to record: I don't think the withdrawn field should be set.
:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:
Please review our FAQ entry on how to most efficiently have this addressed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @mbauman, this is an interesting one. A couple of months ago we decoupled the Debian and Alpine CVE records we ingest to their own records. This record predates that, and was withdrawn from Debian's tracking.
We currently aren't able to convert the record as we don't have a clean method of ingesting them from the NVD or CVEList yet (there's no relevant attached Git repo). Their downstream counterparts will still exist, but we have decided to remove the old withdrawn (previously Debian converted) CVEs from the database to prevent further confusion.
On a related note - would it be useful to have the CVE record as is from the CVEList/NVD, even if we aren't able to extract version information? We generally don't like having records that aren't matchable, but with the addition of the upstream field earlier this year, I wonder if having the upstream CVE record even without the Affected Package data still serves useful?
