Describe the bug
POST /v1/query does not return CVE-2025-10256 for FFmpeg 6.1.2, even though the OSV advisory and the original MITRE CVE record both indicate that FFmpeg versions >= 3.2 and < 8.0 are affected.
Package-only query returns the CVE, but exact applicability queries by both version and commit return no vulnerabilities.
To Reproduce
Steps to reproduce the behaviour:
- Query OSV for the FFmpeg package without a version:
curl -sS https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"name":"github.com/ffmpeg/ffmpeg","ecosystem":"GIT"}}' \
| jq -r '.vulns[]?.id' | rg 'CVE-2025-10256'
- Observe that
CVE-2025-10256 is present in the package-only result.
- Query OSV for FFmpeg
6.1.2 by version:
curl -sS https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"name":"github.com/ffmpeg/ffmpeg","ecosystem":"GIT"},"version":"6.1.2"}' \
| jq
- Observe that the result contains no vulnerabilities.
- Query OSV for the exact upstream commit of tag
n6.1.2:
curl -sS https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"package":{"name":"github.com/ffmpeg/ffmpeg","ecosystem":"GIT"},"commit":"b1a4534186ca51b0457579fc05a5739eb2cc45cd"}' \
| jq
- Observe that the result again contains no vulnerabilities.
Reference: upstream FFmpeg/FFmpeg tag n6.1.2 dereferences to commit b1a4534186ca51b0457579fc05a5739eb2cc45cd.
Expected behaviour
POST /v1/query should return CVE-2025-10256 for FFmpeg 6.1.2, both when queried by:
version: "6.1.2"commit: "b1a4534186ca51b0457579fc05a5739eb2cc45cd"
This expectation is based on:
The MITRE record states that affected versions are 3.2 <= version < 8.0.
Screenshots
Not applicable.
Additional context
Relevant observations:
- Package-only query includes
CVE-2025-10256.
- Exact applicability queries by
version and commit do not.
- The issue does not appear to be caused by repository name casing:
github.com/FFmpeg/FFmpeggithub.com/ffmpeg/ffmpeg
both return no match for exact queries.
- The commit used in the reproducer is the upstream commit pointed to by the annotated tag
n6.1.2:
git ls-remote --tags https://github.com/FFmpeg/FFmpeg.git n6.1.2 n6.1.2^{}returns:
74a316ad39c2cc3c9e689a1122f2bab692dec072 refs/tags/n6.1.2
b1a4534186ca51b0457579fc05a5739eb2cc45cd refs/tags/n6.1.2^{}
Describe the bug
POST /v1/querydoes not returnCVE-2025-10256for FFmpeg6.1.2, even though the OSV advisory and the original MITRE CVE record both indicate that FFmpeg versions>= 3.2and< 8.0are affected.Package-only query returns the CVE, but exact applicability queries by both
versionandcommitreturn no vulnerabilities.To Reproduce
Steps to reproduce the behaviour:
CVE-2025-10256is present in the package-only result.6.1.2by version:n6.1.2:Reference: upstream
FFmpeg/FFmpegtagn6.1.2dereferences to commitb1a4534186ca51b0457579fc05a5739eb2cc45cd.Expected behaviour
POST /v1/queryshould returnCVE-2025-10256for FFmpeg6.1.2, both when queried by:version: "6.1.2"commit: "b1a4534186ca51b0457579fc05a5739eb2cc45cd"This expectation is based on:
The MITRE record states that affected versions are
3.2 <= version < 8.0.Screenshots
Not applicable.
Additional context
Relevant observations:
CVE-2025-10256.versionandcommitdo not.github.com/FFmpeg/FFmpeggithub.com/ffmpeg/ffmpegboth return no match for exact queries.
n6.1.2:git ls-remote --tags https://github.com/FFmpeg/FFmpeg.git n6.1.2 n6.1.2^{}returns: