Is it expected that Trivy doesn't detect CVE-2025-66478 (Next.js) yet?

[DavidLMS]

Question

I have been testing Trivy with the Next.js RCE vulnerability (CVE-2025-66478) published yesterday. While npm audit correctly detects it, trivy fs . returns zero vulnerabilities for the same project (next@16.0.6).

My Trivy DB was updated today at 12:25 UTC, approximately 12 hours after the CVE was published. I assume the advisory was not yet included in that particular build.

I would like to understand how Trivy's npm detection pipeline works. Does it pull from GitHub Advisory Database directly, or is there an intermediate step that could explain this delay? The advisory (GHSA-9qr9-h5gf-34mp) is already available there.

I am happy to wait a few more DB cycles and report back if that would be helpful.

Thank you.

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Operating System

No response

Version

Version: 0.68.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-04 12:25:36.62596429 +0000 UTC
  NextUpdate: 2025-12-05 12:25:36.625964069 +0000 UTC
  DownloadedAt: 2025-12-04 18:39:56.88043 +0000 UTC

[DmitriyLewen]

We discuss about this in aquasecurity/trivy-db#597

[DavidLMS]

Thanks for pointing me there! Apologies for the duplicate—I did search beforehand but didn't think to look in trivy-db issues (I was searching in the main trivy repo). Interesting to learn the root cause is the CVE rejection rather than just pipeline timing.