GHSA-5f7q-jpqc-wp7h: OSV export missing fixed events for 15.x canary ranges, causing false positives #7295
Description
Advisory
- GHSA: GHSA-5f7q-jpqc-wp7h
- CVE: CVE-2025-59472
- Package: next (npm)
Problem
The GitHub advisory UI correctly shows bounded affected ranges for the 15.x canary entries (e.g., >= 15.3.0-canary.0, < 15.3.0), but the OSV export at https://api.osv.dev/v1/vulns/GHSA-5f7q-jpqc-wp7h is missing fixed events for all 15.x canary ranges except 15.6.0-canary.
For example, the 15.5.1-canary range in the OSV JSON:
{
"ranges": [{"type": "SEMVER", "events": [{"introduced": "15.5.1-canary.0"}]}],
"database_specific": {
"last_known_affected_version_range": "< 15.5.1"
}
}The expected output should be:
{
"ranges": [{"type": "SEMVER", "events": [{"introduced": "15.5.1-canary.0"}, {"fixed": "15.5.1"}]}]
}Per the OSV spec, a range with only an introduced event and no fixed event means all versions from introduced onward are affected. This causes tools like osv-scanner to flag versions like 16.2.1 as vulnerable, since 16.2.1 >= 15.5.1-canary.0 is true and there's no upper bound.
The last_known_affected_version_range field in database_specific is not part of the formal range specification and is not evaluated by osv-scanner.
Affected entries
All 15.x canary entries are affected (14 of 16 total entries). Only the 16.x range and 15.6.0-canary range have proper fixed events. It appears the "Patched versions" field in the advisory is empty for these entries, which causes the export to omit the fixed event.
Impact
osv-scanner (used by GitHub code scanning) produces false positive alerts for next@16.2.1 and likely any other stable Next.js version above 15.0.0-canary.0.