[FP]: CVE-2022-24834 wrongly matched to npm package node-redis

[kronehero]

Package URl

pkg:npm/redis@5.5.6

CPE

cpe:2.3:a:redis:redis:5.5.6:*:*:*:*:*:*:*

CVE

CVE-2022-24834

ODC Integration

{"label" => "Docker"}

ODC Version

Dependency-Check Core version 12.1.0

Description

ODC flags the npm package node-redis (redis.js) as vulnerable to CVE-2022-24834.
That CVE is a heap-overflow flaw in the Redis server (redis) Lua scripting engine, not in the Node.js client library redis.js.

According to the CVE, "the problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20". However, the vulnerable version 5.5.6 of the Node.js Redis library is the most recent version available as of 13 June 2025. This further demonstrates that the vulnerability affects the server rather than the npm package.

[github-actions]

Npm Coordinates

npm -i redis@5.5.6

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7740
   ]]></notes>
   <packageUrl regex="true">^pkg:npm/redis@.*$</packageUrl>
   <cpe>cpe:/a:redis.js:redis</cpe>
</suppress>

Link to test results: https://github.com/dependency-check/DependencyCheck/actions/runs/15628107674

[chadlwilson]

The CPE here is probably not the one being reported against, or the vuln wouldn't be reported (this is a CPE for the JS library by the look of it, which would be correct) - so the suggested suppression is inappropriate. If you are still having an issue, please edit the CPE in the description to match what is reported (probably the redis server) and I'll re-open/re-look.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/17906578086

[kronehero]

The CPE here is probably not the one being reported against, or the vuln wouldn't be reported (this is a CPE for the JS library by the look of it, which would be correct) - so the suggested suppression is inappropriate. If you are still having an issue, please edit the CPE in the description to match what is reported (probably the redis server) and I'll re-open/re-look.

Thanks for your reply! I've updated the description in the original issue report. Please let me know if you require any additional information.

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/17907406657

[chadlwilson]

Can you edit the description to just one of the CPEs in the ODC report with the original format please? That'll help the automation be able to process it so we can evaluate. If it has both, include the one that is problematic.

If ODC detected as the JS variant I'm not sure where the CVE came from since NVD marked it correctly against the server product not the JS library - so it shouldn't be reported by ODC (Unless it's actually coming from somewhere else)

[github-actions]

Failed to automatically evaluate the false positive. See: https://github.com/dependency-check/DependencyCheck/actions/runs/17907667184

[kronehero]

I have edited the description. The GitHub action appears to be failing due to missing Sonatype OSS credentials.

As you correctly pointed out, the NVD database specifies the correct CPE, so it is likely that ODC obtained the CPE from a different source. The first scan conducted with this ODC issue was on 08/05/2025. This CVE was last modified on NVD on 11/21/2024. The issue still exists for package.json files with the entry "dependencies": {"redis": "^5.5.6"}.

Automatic database updates are enabled for all the vuln databases in my case. I didn't deactivated any vuln databases during my scans.

[chadlwilson]

When I run locally, both CPEs are matched which is probably the issue here.

The problematic CPE is the server one, which is what should be in your FP report. If we suppress that CPE against the redis JS client library from the NPM package, the false positives will go away. Sadly, we need to fix the automation for the recent OSS Index changes, it seems - but you can update your report in preparation :-)