We identified a typographical issue in our feeds that caused scanners to report false positives for CVE-2025-59466 in images containing NodeJS 22.

An incorrectly formatted “fixed” version was published, leading scanners to conclude that the CVE had not been addressed in the latest release, 22.22.0-r0.

The issue has now been corrected in our feeds. Downstream scanners will need to ingest the updated data and refresh their databases. Since most scanners rebuild their databases daily, we expect the corrected information to be reflected in many cases by the next overnight update.

In addition to correcting the data, we are implementing safeguards to prevent incorrectly formatted values from being accepted in the future.

A full root cause analysis will be shared with customers in due course.