data/reports: add 3 REVIEWED reports

Change-Id: I188bb924dc3b5f124ed76460b61e9f0239c6797f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/715781
Reviewed-by: Ethan Lee <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: Markus Kusano

data/osv/GO-2025-4027.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4027",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "GHSA-fr8m-434r-g3xp"
+  ],
+  "summary": "Gnark-crypto doesn't range check input values during ECDSA and EdDSA deserialization in github.com/consensys/gnark-crypto",
+  "details": "Gnark-crypto doesn't range check input values during ECDSA and EdDSA deserialization in github.com/consensys/gnark-crypto",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/consensys/gnark-crypto",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.12.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/Consensys/gnark-crypto/security/advisories/GHSA-fr8m-434r-g3xp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Consensys/gnark-crypto/pull/449"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Consensys/gnark-crypto/releases/tag/v0.12.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-9xfq-8j3r-xp5g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://go.dev/blog/defer-panic-and-recover"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4027",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2025-4038.json

@@ -0,0 +1,95 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4038",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-26625",
+    "GHSA-6pvw-g552-53c5"
+  ],
+  "summary": "Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs",
+  "details": "Git LFS may write to arbitrary files via crafted symlinks in github.com/git-lfs/git-lfs",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/git-lfs/git-lfs",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0.5.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    },
+    {
+      "package": {
+        "name": "github.com/git-lfs/git-lfs/v3",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/git-lfs/git-lfs/v3/commands",
+            "symbols": [
+              "checkoutCommand",
+              "checkoutConflict",
+              "newSingleCheckout",
+              "singleCheckout.Run"
+            ]
+          },
+          {
+            "path": "github.com/git-lfs/git-lfs/v3/lfs",
+            "symbols": [
+              "GitFilter.SmudgeToFile"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4038",
+    "review_status": "REVIEWED"
+  }
+}

data/osv/GO-2025-4044.json

@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4044",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-54470",
+    "GHSA-qqj3-g7mx-5p4w"
+  ],
+  "summary": "NeuVector telemetry sender is vulnerable to MITM and DoS in github.com/neuvector/neuvector",
+  "details": "NeuVector telemetry sender is vulnerable to MITM and DoS in github.com/neuvector/neuvector",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/neuvector/neuvector",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "custom_ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0.0.0-20230727023453-1c4957d53911"
+              },
+              {
+                "fixed": "0.0.0-20251020133207-084a437033b4"
+              },
+              {
+                "introduced": "5.3.0"
+              },
+              {
+                "fixed": "5.3.5"
+              },
+              {
+                "introduced": "5.4.0"
+              },
+              {
+                "fixed": "5.4.7"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/commit/06424701e69bf1eb76ff90180d78853fded93021"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/neuvector/neuvector/commit/415737cbec581a5dc5f204fac1c78b7f29ad7dc2"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4044",
+    "review_status": "REVIEWED"
+  }
+}

data/reports/GO-2025-4027.yaml

@@ -0,0 +1,23 @@
+id: GO-2025-4027
+modules:
+    - module: github.com/consensys/gnark-crypto
+      versions:
+        - fixed: 0.12.0
+      vulnerable_at: 0.11.2
+summary: |-
+    Gnark-crypto doesn't range check input values during ECDSA and EdDSA
+    deserialization in github.com/consensys/gnark-crypto
+ghsas:
+    - GHSA-fr8m-434r-g3xp
+references:
+    - advisory: https://github.com/Consensys/gnark-crypto/security/advisories/GHSA-fr8m-434r-g3xp
+    - web: https://github.com/Consensys/gnark-crypto/pull/449
+    - web: https://github.com/Consensys/gnark-crypto/releases/tag/v0.12.0
+    - web: https://github.com/advisories/GHSA-9xfq-8j3r-xp5g
+    - web: https://go.dev/blog/defer-panic-and-recover
+notes:
+    - Symbols failed due to Go tooling being unable to determine what version to build dependencies
+source:
+    id: GHSA-fr8m-434r-g3xp
+    created: 2025-10-28T17:37:04.938126994Z
+review_status: REVIEWED

data/reports/GO-2025-4038.yaml

@@ -0,0 +1,37 @@
+id: GO-2025-4038
+modules:
+    - module: github.com/git-lfs/git-lfs
+      versions:
+        - introduced: 0.5.2
+      vulnerable_at: 1.5.6
+    - module: github.com/git-lfs/git-lfs/v3
+      versions:
+        - fixed: 3.7.1
+      vulnerable_at: 3.7.0
+      packages:
+        - package: github.com/git-lfs/git-lfs/v3/commands
+          symbols:
+            - singleCheckout.Run
+            - checkoutConflict
+            - checkoutCommand
+            - newSingleCheckout
+        - package: github.com/git-lfs/git-lfs/v3/lfs
+          symbols:
+            - GitFilter.SmudgeToFile
+summary: |-
+    Git LFS may write to arbitrary files via crafted symlinks in
+    github.com/git-lfs/git-lfs
+cves:
+    - CVE-2025-26625
+ghsas:
+    - GHSA-6pvw-g552-53c5
+references:
+    - advisory: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-6pvw-g552-53c5
+    - fix: https://github.com/git-lfs/git-lfs/commit/0cffe93176b870055c9dadbb3cc9a4a440e98396
+    - fix: https://github.com/git-lfs/git-lfs/commit/5c11ffce9a4f095ff356bc781e2a031abb46c1a8
+    - fix: https://github.com/git-lfs/git-lfs/commit/d02bd13f02ef76f6807581cd6b34709069cb3615
+    - web: https://github.com/git-lfs/git-lfs/releases/tag/v3.7.1
+source:
+    id: GHSA-6pvw-g552-53c5
+    created: 2025-10-28T17:30:07.668806596Z
+review_status: REVIEWED

data/reports/GO-2025-4044.yaml

@@ -0,0 +1,25 @@
+id: GO-2025-4044
+modules:
+    - module: github.com/neuvector/neuvector
+      non_go_versions:
+        - introduced: 0.0.0-20230727023453-1c4957d53911
+        - fixed: 0.0.0-20251020133207-084a437033b4
+        - introduced: 5.3.0
+        - fixed: 5.3.5
+        - introduced: 5.4.0
+        - fixed: 5.4.7
+summary: |-
+    NeuVector telemetry sender is vulnerable to MITM and DoS in
+    github.com/neuvector/neuvector
+cves:
+    - CVE-2025-54470
+ghsas:
+    - GHSA-qqj3-g7mx-5p4w
+references:
+    - advisory: https://github.com/neuvector/neuvector/security/advisories/GHSA-qqj3-g7mx-5p4w
+    - web: https://github.com/neuvector/neuvector/commit/06424701e69bf1eb76ff90180d78853fded93021
+    - web: https://github.com/neuvector/neuvector/commit/415737cbec581a5dc5f204fac1c78b7f29ad7dc2
+source:
+    id: GHSA-qqj3-g7mx-5p4w
+    created: 2025-10-28T17:29:19.513717805Z
+review_status: REVIEWED