What would you rather? It seems to make sense to rate these with such a high CVSS. All auditing tools I know of have a way to whitelist CVEs to say either "We've looked into this and it doesn't impact us" or "We are willing to accept the risk". From your post it sounds like you in the first camp, but others might not be and need those notifications.
RCE via deserilaization seems valid 9.8 even if it requires the developer to use less common APIs or using them in strange ways. In the bug they have a comment that the documentation warns about these API but that doesn't really impact a CVSS score. Am I missing something about this specific CVE on why you think its unfair?
RCE via deserilaization seems valid 9.8 even if it requires the developer to use less common APIs or using them in strange ways. In the bug they have a comment that the documentation warns about these API but that doesn't really impact a CVSS score. Am I missing something about this specific CVE on why you think its unfair?