The popular ‘ip’ open-source project was archived due to a controversial CVE report filed against it, causing developer Fedor Indutny to limit access to the GitHub repository. The issue involved the incorrect identification of private IP addresses in a non-standard format, causing inconsistent results. Indutny disputed the severity of the bug, which was later fixed. This incident highlights the growing trend of unverified CVE reports being filed, causing headaches for developers. Additional cases include ‘curl’ and ‘micromatch,’ raising questions on the balance between responsible disclosure and over-reporting theoretical vulnerabilities. The lack of solutions leaves developers vulnerable to unnecessary panic and exhaustion.
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/