FEDOR IndUTNY, the author of the IO.js platform (Fork node.js) and a member of the Technical Committee overseeing node.js development, recently raised concerns about the incorrect assignment of CVE identifiers to vulnerability reports. He highlighted the issue of vulnerabilities being mislabeled or misrepresented, which can lead to unnecessary alarm and additional workload for developers.
Incorrect CVE assignments not only tarnish project reputations but also create a burden for individuals who have to filter through misleading reports. Developers are unable to dispute the assigned threat level or have the CVE revoked, causing frustration.
One instance of this issue affected the node.js library node-ip, which saw a significant drop in downloads after a critical vulnerability report was published. Despite being used in over 3,500 projects, the false CVE resulted in warnings during the NPM Audit process.
The volume of complaints related to the false CVE prompted the developer of Node-IP to place the project repository in archival mode, halting further development efforts. The vulnerability, identified as cve-2023-42282, was publicly disclosed in February, but the researcher had initially flagged the issue in December 2022.
Prior to the public disclosure, attempts were made to address the problem through the Huntr platform, where researchers aim to receive rewards for identifying vulnerabilities. Despite ongoing efforts to contact the Node-IP developers, the issue remained unresolved, leading to the eventual public disclosure.