Incorrect affected range in OSV record for CVE-2024-24267
10 views
Skip to first unread message
Iris Iris
Sep 7, 2025, 5:43:08 PMSep 7
to osv-d...@googlegroups.com
To the OSV.dev Security Team,
I'm writing to report an inconsistency in the `affected` version ranges for CVE-2024-24267 on OSV.dev.
**Issue**:
The OSV entry lists versions from `v0.*` to `v2.2.0` as affected:
> Affected versions:
> v0.5.2, v0.6.0, v0.6.1, ..., v2.2.0
However, multiple sources and the actual upstream patch [commit d28d9ba](https://github.com/gpac/gpac/commit/d28d9ba45cf4f628a7b2c351849a895e6fcf2234) indicate that:
- The vulnerable version is **v2.2.1**
- The issue was fixed in **v2.4.0**
- Earlier versions (v0.* to v2.2.0) do **not** contain the vulnerable code
**References**:
- Patch commit: https://github.com/gpac/gpac/commit/d28d9ba45cf4f628a7b2c351849a895e6fcf2234
- Reproduction PoC: https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md
- Upstream confirmation: https://github.com/gpac/gpac/issues/2571
Please consider updating the `affected` ranges to reflect:
Introduced: 2.2.1
Fixed: 2.4.0
Thank you for your work maintaining OSV.
Best regards,
I'm writing to report an inconsistency in the `affected` version ranges for CVE-2024-24267 on OSV.dev.
**Issue**:
The OSV entry lists versions from `v0.*` to `v2.2.0` as affected:
> Affected versions:
> v0.5.2, v0.6.0, v0.6.1, ..., v2.2.0
However, multiple sources and the actual upstream patch [commit d28d9ba](https://github.com/gpac/gpac/commit/d28d9ba45cf4f628a7b2c351849a895e6fcf2234) indicate that:
- The vulnerable version is **v2.2.1**
- The issue was fixed in **v2.4.0**
- Earlier versions (v0.* to v2.2.0) do **not** contain the vulnerable code
**References**:
- Patch commit: https://github.com/gpac/gpac/commit/d28d9ba45cf4f628a7b2c351849a895e6fcf2234
- Reproduction PoC: https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md
- Upstream confirmation: https://github.com/gpac/gpac/issues/2571
Please consider updating the `affected` ranges to reflect:
Introduced: 2.2.1
Fixed: 2.4.0
Thank you for your work maintaining OSV.
Best regards,
ZHANG YUXIN
Jess Lowe
Sep 9, 2025, 11:31:17 PMSep 9
to osv-discuss
Hi!
Thanks for the report, and your interest in OSV's data quality!
We currently source this versioning data from the NVD on a best effort conversion. In this case, the immediately given data is somewhat ambiguous, and while we are looking at improving our version extraction through the addition of CVEListV5 conversion, the data on CVEList is of a similar ambiguous quality, so isn't likely to convert well either. We have some plans to hopefully improve this conversion in the future but it is still a work-in-progress. I have noted this vulnerability as a test case for future improvement work.
We don't currently have the proper infrastructure in place to update individual records, as they will become overwritten the next time the file is reconverted from the NVD. We hope to one day have this functionality, but for now, it is not feasible.
As such, unfortunately, your current best course of action is to report this to the CVE Program to update the CVE directly.
Best regards,
Jess and the OSV Team.
Reply all
Reply to author
Forward
0 new messages