Skip to content

[GHSA-gmq8-994r-jv83] yauzl contains an off-by-one error#7168

Merged
advisory-database[bot] merged 1 commit intoadalinesimonian/advisory-improvement-7168from
adalinesimonian-GHSA-gmq8-994r-jv83
Mar 16, 2026
Merged

[GHSA-gmq8-994r-jv83] yauzl contains an off-by-one error#7168
advisory-database[bot] merged 1 commit intoadalinesimonian/advisory-improvement-7168from
adalinesimonian-GHSA-gmq8-994r-jv83

Conversation

@adalinesimonian
Copy link

@adalinesimonian adalinesimonian commented Mar 14, 2026

Updates

  • Affected products
  • CVSS v3

Comments
3.2.0 is the only version with the bug as it is the version where the vulnerable code was introduced. This CVE does not apply to any other version of yauzl. The current version range is resulting in numerous usages of non-vulnerable versions of yauzl getting flagged.

Copilot AI review requested due to automatic review settings March 14, 2026 21:08
@github-actions github-actions bot changed the base branch from main to adalinesimonian/advisory-improvement-7168 March 14, 2026 21:09
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

G-Rath
G-Rath approved these changes Mar 15, 2026
View reviewed changes
Copy link

@G-Rath G-Rath left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for what it's worth, this looks right to me assuming you didn't add the versions manually - I don't think I've seen it in previous GH advisories, but maybe they generate it if the range is very small?

@G-Rath G-Rath mentioned this pull request Mar 16, 2026
Merged
G-Rath added a commit to ackama/nzsl-share that referenced this pull request Mar 16, 2026
@G-Rath
chore: ignore incorrect GHSA-gmq8-994r-jv83 advisory (#823)
494935e 
This vulnerability only applies to a specific version that we're not
using, but the [advisory has not yet been
updated](github/advisory-database#7168)
@adalinesimonian
Copy link
Author

adalinesimonian commented Mar 16, 2026

for what it's worth, this looks right to me assuming you didn't add the versions manually - I don't think I've seen it in previous GH advisories, but maybe they generate it if the range is very small?

The only thing I changed on the suggest changes page was to change the version range; any other changes in the JSON happened without my direct input.

@advisory-database advisory-database bot merged commit 14689ba into adalinesimonian/advisory-improvement-7168 Mar 16, 2026
7 of 8 checks passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Mar 16, 2026

Hi @adalinesimonian! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the adalinesimonian-GHSA-gmq8-994r-jv83 branch March 16, 2026 12:35
@adalinesimonian adalinesimonian mentioned this pull request Mar 16, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@G-Rath G-Rath G-Rath approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adalinesimonian @G-Rath