CVE-2024-31033 (v0.12.5)

[SMadani]

Just came across this on my build, which seems to not have been reported on this repo. This is the vulnerability: https://www.mend.io/vulnerability-database/CVE-2024-31033.

[bdemers]

It's not a vuln, it's currently being disputed and should be rejected soon: https://nvd.nist.gov/vuln/detail/CVE-2024-31033
There are more details on this here: #930 (comment)

Until then you will need to ignore/exclude this as a false positive.

[SMadani]

My apologies. After reading the discussion, it seems crazy to me that anyone can file a CVE against a project without a) discussion with the maintainers and b) actual validation / evidence of the supposed vulnerability being exploited. Hope it is rejected soon.