Google OSV Database Pushes Erroneous 'ECHO' Vulnerabilities, Flooding Downstream Systems

A critical data integrity flaw has exposed downstream software supply chain systems to a flood of erroneous vulnerability records. The issue stems from the Google Open Source Vulnerabilities (OSV) database, which ingested and subsequently propagated thousands of incorrect vulnerability entries related to the 'ECHO' identifier. This has created a persistent data pollution problem for dependent platforms, which lack the administrative tools to effectively identify and purge the bad data.

The core of the problem is a one-to-many propagation effect. While only 19 distinct vulnerability records with the 'ECHO' ID exist in one system's primary `vulnerabilities` table, they have been incorrectly linked to over 4,700 individual software releases in the `release_vulnerabilities` junction table. This massive inflation of records originated from a now-fixed bug in the upstream OSV.dev repository (Issue #5260, resolved in PR #5261). However, the corrected filtering applied by Google does not retroactively clean the corrupted data already pushed to and stored by integrated downstream services.

The operational impact is significant. Administrators are currently unable to view or manage this vulnerability data through their administrative interfaces, forcing reliance on direct database queries. More critically, there is no mechanism to perform a bulk prune of a single erroneous vulnerability across all affected releases. This leaves system owners manually grappling with thousands of phantom security alerts, undermining the reliability of their vulnerability management and creating unnecessary operational overhead and potential alert fatigue. The incident highlights a systemic weakness in the data hygiene and remediation protocols between major vulnerability aggregators and their consumers.