GHSA-jmp9-x22r-554x: Missing 'fixed' versions for 5.3.x and 6.0.x/6.1.x ranges #6686
Description
The JSON file for GHSA-jmp9-x22r-554x (CVE-2025-41249) uses last_affected for some ranges but only provides a fixed version for the 6.2.x range.
Current State
// 5.3.x range - no fixed version
{ "introduced": "5.3.0" },
{ "last_affected": "5.3.44" }
// 6.0.x/6.1.x range - no fixed version
{ "introduced": "6.0.0" },
{ "last_affected": "6.1.22" }
// 6.2.x range - has fixed version
{ "introduced": "6.2.0" },
{ "fixed": "6.2.11" }Issue
The JSON data doesn't include the fixed versions for the 5.3.x and 6.1.x ranges. This causes problems for vulnerability scanning tools that parse introduced and fixed events, resulting in open-ended ranges like >=5.3.0 and >=6.0.0. This leads to false positives for versions that aren't actually affected.
The GitHub Advisory UI shows proper bounded ranges, but the underlying JSON data is inconsistent which affects downstream tools consuming this data.
Suggestion
The JSON should be updated to include the fixed versions. According to the Spring security advisory, the patched supported versions are:
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.2.x | 6.2.11 | OSS |
| 6.1.x | 6.1.23 | Commercial |
| 5.3.x | 5.3.45 | Commercial |