Add alias CVE-2025-55182 to GHSA-9qr9-h5gf-34mp

[tockn]

Summary

This PR adds CVE-2025-55182 as an alias to this advisory.

Details

According to NVD, CVE-2025-66478 has been REJECTED as a duplicate of CVE-2025-55182.
This change adds the active CVE ID to the aliases to correctly map this vulnerability.

References

• Rejected CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-66478
• Active CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55182

[Copilot]

Pull request overview

This PR updates the security advisory GHSA-9qr9-h5gf-34mp to replace a rejected CVE ID with the active one. CVE-2025-66478 was rejected by NVD as a duplicate of CVE-2025-55182, so both IDs are now listed as aliases to ensure proper vulnerability tracking.

Key changes:

• Added CVE-2025-55182 to the aliases array
• Retained CVE-2025-66478 for reference
• Updated the modification timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mswilson]

Per the OSV schema, https://ossf.github.io/osv-schema/#aliases-field

Aliases should not be used to refer to vulnerabilities in packages upstream or downstream in a software supply chain from the given OSV record’s affected package(s). For example, if a CVE describes a vulnerability in a language library, and a Linux distribution package contains that library and therefore publishes an advisory, the distribution’s OSV record must not list the CVE ID as an alias. Similarly, distributions often bundle multiple upstream vulnerabilities into a single record. To refer to these upstream vulnerabilities, upstream should be used.