On Sun Aug 3, 2025 at 7:11 PM CEST, Andrea Pappacoda wrote:
After taking a closer look to these CVEs, I found out that
CVE-2025-53628's description is completely wrong. In fact, it describes
CVE-2025-46728 (I believe they got mixed up since they both end with 28).
This theory of mine is also reinforced by the fact that the GitHub
advisory of CVE-2025-53629 mentions CVE-2025-46728, and not 53628.
Opening the GitHub advisory you can find the correct description, which
is about HTTP header smuggling (and not memory exhaustion).
Apart from being annoying, this also makes it harder for me to figure
out which commit actually fixed the vulnerability of GHSA-j6p8-779x-p5pw
(i.e., the real CVE-2025-53628), as upstream's commit messages are...
let's say... unhelpful.
What should I do? How can the CVE text be rectified? (CVE-2025-53629
should be modified as well, to mention CVE-2025-46728).
Did some more digging, and turns out that even the commit mentioned in
CVE-2025-53629 is wrong, which in fact fixes 53628.
- The commit fixing CVE-2025-53628 is 17ba303889b8d4d719be3879a70639ab653efb99
- The commit fixing CVE-2025-53629 is 082acacd4581d10e05fccbe9cb336aa7822c4ea2
I'm also sending this to [email protected] as this to me seems relevant
information to fix the CVEs, not the package itself.
Bye!
