Manually-verified CVE in a dependency
What it detects
This one is different from the other checkers on this page: it's not a regex or pattern match. CHK-CVE is the tag used when a CVE affecting a dependency has been manually researched and confirmed against the actual repository — as opposed to CHK-034/035/036, which are the automated severity tiers the OSV API lookup assigns to every dependency CVE it finds programmatically.
Manual verification matters here because automated CVE-to-dependency matching has a real false-positive rate (a CVE in a library doesn't always mean the vulnerable code path is reachable). CHK-CVE entries have had that reachability checked by hand before being counted.
Real example
CVE-2025-68143, CVSS 8.8, path traversal. This is the official MCP reference Git server — the one most developers install first, referenced directly in Claude Code's own documentation. A crafted repository path can read files outside the intended directory scope.
How to fix it
Check the package's CHANGELOG or GitHub releases for the version that fixes CVE-2025-68143 and upgrade to it. For dependency CVEs generally: pin to the fixed version rather than a range, since the vulnerable version may otherwise still resolve in some install paths.
Reference →