mapOSVSeverity fails to parse CVSS v3 vector strings, all CVEs default to medium

[btoneill]

What happened?

Description

The mapOSVSeverity method in cve-checker.js calls parseFloat(severity.score) expecting a numeric CVSS base score, but the OSV API returns a CVSS vector string (e.g., CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). parseFloat() returns NaN on this input, so no severity threshold is ever matched and every CVE falls through to the default return value of medium.

This means severity-based filtering is effectively broken — configuring severity: [high, critical] will never block anything, because all CVEs are classified as medium regardless of their actual severity.

Steps to Reproduce

1. Enable CVE checking with severity: [high, critical]
2. Request a package with known HIGH severity CVEs (e.g., lodash@4.17.20 which has GHSA-35jh-r3h4-6jhm rated HIGH with CVSS 7.2)
3. Package is allowed through — no block, no warning
4. Adding medium to the severity list causes all CVEs to be caught, confirming everything maps to medium

Root Cause

In build/lib/cve-checker.js, the mapOSVSeverity method:

mapOSVSeverity(osvSeverity) {
    if (!osvSeverity || osvSeverity.length === 0) {
        return 'medium';
    }
    const severity = osvSeverity[0];
    if (severity.type === 'CVSS_V3') {
        const score = parseFloat(severity.score);  // <-- NaN, score is a vector string
        if (score >= 9.0) return 'critical';
        if (score >= 7.0) return 'high';
        if (score >= 4.0) return 'medium';
        return 'low';
    }
    return 'medium';
}

The OSV API returns:

{"type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}

Suggested Fix

Either:

1. Parse the CVSS vector string to calculate the base score (e.g., using a library like cvss or @turingpointde/cvss.js)
2. Fall back to database_specific.severity from the OSV response as a secondary source (values: LOW, MODERATE, HIGH, CRITICAL)
3. Both — try CVSS vector parsing first, fall back to database_specific.severity

Environment

• verdaccio-security-filter v1.3.5
• Verdaccio latest (Docker image)
• Node.js v22.22.1

Version

6.x (Stable)

Version details

6.5.2

Output server log info

Node.js Version

22.x.x (Maintenance)

Package manager

npm

Operating system

linux

Using reverse proxy

• I am using a reverse proxy

Relevant log output

Have I checked other issues?

• I have searched existing issues

[juanpicado]

You are referring to another plugin, the one #5548 never had this feature, but worth review the proposal, I'll change the type of the issue.

[mbtools]

ref ponomarenko/verdaccio-security-filter#38

[btoneill]

Yeah, sorry about that, meant it for the plugin page not this one, wasn't thinking when I went to the page. Sorry about that.