Skip to content

Incorrect CPE for Vercel's Next js #4443

New issue
New issue
Closed
#4450
Closed
Incorrect CPE for Vercel's Next js#4443
#4450
Assignees
willmurphyscode
Labels
bugSomething isn't working
@farsheedify

Description

@farsheedify
farsheedify
opened on Dec 7, 2025

What happened:
We were investigating vulnerable components to react2shell. Noticed a project with vulnerable component. The project's SBOM was uploaded to DependencyTrack but was not matched with the related CVE. We double checked the CPE, and it was different from the CPE provided by NVD.

The generated CPE by Syft:
cpe:2.3:a:next:next:15.0.3:::::::*

Provided CPE by NVD:
cpe:2.3:a:vercel:next.js:15.0.3:::::::*

What you expected to happen:
Correct CPEs matching with NVD format.
Steps to reproduce the issue:
scan a project's pnpm-lock.yaml containing Next js version 15.0.3 with Syft version 1.38.0.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions