This is a repo for recording disclosed OSS-Fuzz vulnerabilities, and acts as the source of truth for OSS-Fuzz vulnerabilities in OSV.

Each OSS-Fuzz vulnerability has precise impacted version and commit version information added by OSV.

Users may submit PRs to update any information here.

The format is described here.

Vulnerabilities undergo automated bisection and repository analysis as part of OSV to determine the affected commit ranges and versions. They are then automatically imported in this repository.

Any user changes to vulnerability files in this repository will trigger a re-analysis by OSV within a few minutes ( example change, re-analysis).

OSV will also regularly recompute affected versions and detect cherry picks across different branches for each vulnerability (example).

OSV also provides an API to let users easily query this information.

An OSS-Fuzz vulnerability may be missing here for a few reasons.

Sometimes the bisection is unable to resolve the introduced and fixed ranges to an acceptably small range. In these cases, we opt to keep the database higher quality and avoid showing such results by default.

Failure cases are recorded at the public GCS bucket gs://oss-fuzz-osv-vulns. You may use the script scripts/import.py to import any existing details about these failed vulnerabilities.

$ python scripts/import.py <oss-fuzz issue ID>

Any missing details may be filled in manually and submitted as part of a PR to this repo. See this example.

We only include bugs that are marked as security by OSS-Fuzz. If you are a project maintainer, you may edit the security flag on the corresponding testcase details page. Marking a bug as security will automatically cause it to be fed into OSV, if the bug is reliably reproducible.

If a vulnerability in this repository is not considered a security vulnerability, it may be removed by submitting a PR to add a withdrawn field to the relevant entry.