False Negative: CVE-2025-53506 #3268
Description
Vulnerability ID:
GHSA-25xr-qj8w-c4vf
https://nvd.nist.gov/vuln/detail/CVE-2025-53506
Package URL or steps to reproduce:
Download tomcat-embed-core 10.1.42 from maven central: https://repo1.maven.org/maven2/org/apache/tomcat/embed/tomcat-embed-core/10.1.42/tomcat-embed-core-10.1.42.jar
Run grype tomcat-embed-core-10.1.42.jar. It shows six other CVEs, but not CVE-2025-53506.
Anything else we need to know?:
There seems to be conflicting data if the CVE applies to tomcat-embed-core: The GHSA page says that org.apache.tomcat:tomcat-coyote is affected. mvnrepository also does not list the CVE, it is only listed on the coyote artifact.
But according to grype's db search command, the CVE should also apply to tomcat-embed-core:
grype db search CVE-2025-53506 | grep cpe
CVE-2025-53506 cpe:2.3:a:apache:tomcat-coyote:*:*:*:*:*:maven:*:* maven nvd:cpe < 9.0.107 || >= 10.0.0-M1, < 10.1.43 || >= 11.0.0-M1, < 11.0.9
CVE-2025-53506 cpe:2.3:a:apache:tomcat-embed-core:*:*:*:*:*:maven:*:* maven nvd:cpe < 9.0.107 || >= 10.0.0-M1, < 10.1.43 || >= 11.0.0-M1, < 11.0.9
CVE-2025-53506 cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:* maven nvd:cpe < 9.0.107 || >= 10.0.0-M1, < 10.1.43 || >= 11.0.0-M1, < 11.0.9
CVE-2025-53506 cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:*:*:*:*:*:maven:*:* maven nvd:cpe < 9.0.107 || >= 10.0.0-M1, < 10.1.43 || >= 11.0.0-M1, < 11.0.9
CVE-2025-53506 cpe:2.3:a:org.apache.tomcat:tomcat-coyote:*:*:*:*:*:maven:*:* maven nvd:cpe < 9.0.107 || >= 10.0.0-M1, < 10.1.43 || >= 11.0.0-M1, < 11.0.9
So my main question is, why does the db show that tomcat-embed-core 10.1.42 is affected, but the actual grype scan does not report it?
Environment:
- Output of
grype version: 0.109.0 - OS (e.g:
cat /etc/os-releaseor similar): Ubuntu 22.04.5