CVE-2025-26042 Still Listed as Open on Docker Scout Despite Being Fixed

[marcschaeferger]

I would like to report an issue where CVE-2025-26042 is still marked as open/vulnerable on Docker Scout, even though this CVE has already been fixed.

Background

There were previously duplicate advisories for this vulnerability:

• GitHub Advisory:
  GHSA-hx7h-9vf7-5xhg (current and authoritative, shows the issue as fixed)

• Withdrawn GitHub Advisory:
  GHSA-3rw8-4xrq-3f7p (withdrawn as a duplicate of the above)

• NIST & GitLab Advisories:

  • Both still reference CVE-2025-26042, but do not reflect the current fixed status like GitHub does.

Request

Please update the status of CVE-2025-26042 on Docker Scout and display the correct fixed/patched version in accordance with the GitHub advisory (GHSA-hx7h-9vf7-5xhg).

If further details or context are needed, please let me know!

Thank you!

[cdupuis]

The data in this advisory is interesting;

 "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "last_affected": "1.23.16"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "2.0.0-beta.0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ]
        }
      ]
    }
  ],

as per https://github.com/github/advisory-database/blob/9e611acf1eaba9c8bff600c958c992300538dbf6/advisories/github-reviewed/2025/03/GHSA-hx7h-9vf7-5xhg/GHSA-hx7h-9vf7-5xhg.json

One of the ranges only has a last_affected which is what Scout shows as the >=1.15.0,<=1.23.16 in the affected range. For Scout to show a fix version, the fixed event would need to be present.

[marcschaeferger]

@cdupuis Ah, okay. That makes sense! This also explains why the affected range appears to be wrong — as 2.0.0-beta.1 was still affected, meaning the range doesn't correctly reflect the state of the vulnerability.

To ensure Docker Scout reports the correct fixed version (2.0.0-beta.2), the JSON should look like the following:

"affected": [
    {
        "package": {
            "ecosystem": "npm",
            "name": "uptime-kuma"
        },
        "ranges": [
            {
                "type": "ECOSYSTEM",
                "events": [
                    {
                        "introduced": "1.15.0"
                    }
                ]
            }
        ]
    },
    {
        "package": {
            "ecosystem": "npm",
            "name": "uptime-kuma"
        },
        "ranges": [
            {
                "type": "ECOSYSTEM",
                "events": [
                    {
                        "introduced": "2.0.0-beta.0"
                    },
                    {
                        "last_affected": "2.0.0-beta.1"
                    },
                    {
                        "fixed": "2.0.0-beta.2"
                    }
                ]
            }
        ]
    }
]

Am i right? Then i will create a Pull request for that in the upstream Github Advisory Repo

[marcschaeferger]

Multiple Outdated Advisories for CVE-2025-26042 Shown on Docker Scout

@cdupuis I noticed that Docker Scout currently shows three different advisories/references for CVE-2025-26042 across various platforms (NIST, GitHub, and GitLab). Only the GitHub advisory contains the correct and up-to-date affected ranges and fix information. Both NIST and GitLab currently have outdated or incorrect data.

Here are some screenshots for reference:

Problem

• GitHub Advisory:
  • Shows the correct affected ranges and the properly fixed version (2.0.0-beta.2).
• NIST & GitLab References:
  • Contain outdated version data.

Questions

• Is it possible to remove or deprioritize outdated advisory sources (NIST, GitLab) for this CVE in Docker Scout, so that only the correct GitHub data is shown?
• Or, is there a recommended process to report or synchronize these discrepancies to avoid confusion for Docker Scout users?

Thanks for your support and clarification on how to best resolve this!