CVE-2025-66478 rejection as duplicate should be challenged

[jmion2s]

Summary

The rejection of CVE-2025-66478 linked as an alias by GHSA-9qr9-h5gf-34mp (in the sidebar, not the text) as a duplicate may lead to some vulnerability scanners not detecting the vulnerable next.js versions, see linked example. Please challenge the rejection.

Additional information

github/advisory-database#6509 may remove the mentioned alias

Example

aquasecurity/trivy-db#597 shows a popular scanner dropping the advisory

[mswilson]

Please see CNA operational rules that govern the allocation of CVEs:

https://www.cve.org/resourcessupport/allresources/cnarules

4.1.12 The act of updating Product dependencies MUST NOT be determined to be a Vulnerability, regardless of whether the dependencies have Vulnerabilities. For example, updating a library to address a Vulnerability in that library MUST NOT be determined to be a new Vulnerability in a Product that uses the library, and a Vulnerability advisory for the Product SHOULD reference the CVE ID for the Vulnerability in the library.