Comment by kiitos

Particularly for [1], I strongly agree with you.

This is so frustrating.

The claimed CWE-125 [2] has a description that says "The product reads data past the end, or before the beginning, of the intended buffer." -- which empirically does not happen in the Go Markdown parser issue. It panics, sure, but that doesn't result in any reads past the end, or before the beginning, of the intended buffer. Said another way, *there is no out-of-bounds read* happening here at all.

These kinds of false-positive CVE claims are super destructive to the credibility of the CVE system in general.

--

[1] https://github.com/gomarkdown/markdown/security/advisories/G...

[2] https://cwe.mitre.org/data/definitions/125.html