CVE-2022-23459 and CVE-2022-23460 CPEs match to false positive repository

[docbugger]

The CVE ID
https://osv.dev/vulnerability/CVE-2022-23459

Describe the data quality issue observed
The Osv.Dev record was updated 2025-10-10 (more than 3 years after the CVE date) to flag an additional, unrelated Git repository (https://github.com/nlohmann/json). Neither the NIST nor the GitHub Security Lab report mentions that additional repository, and neither has been updated any more recently than 2024.

Suggested changes to record
Remove the reference to https://github.com/nlohmann/json.

Additional context
As far as I can tell, the newly-flagged repo does not and never has used code from the project flagged in the CVE (https://github.com/hjiang/jsonxx).

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[jess-lowe]

Hi @docbugger, thanks for the report.

Looking into this, it seems that the CPE dictionary we are matching to includes the nlohmann repository as a mapping for this vendor/product combination. This is likely false, but would need NIST to update it.

We currently don't have the infrastructure set up to edit a "single" record in a way that doesn't get immediately overwritten, but I'm looking into solutions on how to prevent these false positives in the future.

[nlohmann]

Please do not assign these issues to nlohmann/json as this project is totally unrelated: we share no code with jsonxx.

[jess-lowe]

Looking further into it, it looks like for some reason nlohmann/json and hjiang/jsonxx share the same CPE string base.

I have issued a temporary fix on OSV.dev side until the NVD resolves the conflict. Please note that as we do this conversion effort autonomously at scale with no manual review, these will continue to happen if a new vulnerability with the same conflicting CPE string crops up. We are at the mercy of the data we get from the NVD for these vulnerabilities.

@nlohmann, I am happy to reach out to cpe_dictionary@nist.gov to handle this issue, but it may be better coming directly from the project owner. Let me know how you want to proceed.

[jess-lowe]

Closing issue for now, as is an upstream data provider issue.

[nlohmann]

@jess-lowe I would really appreciate if you could reach out as I have too little experience on this topic.

[jess-lowe]

@jess-lowe I would really appreciate if you could reach out as I have too little experience on this topic.

No worries, I will reach out :)

[nlohmann]

Thanks a lot!