Mark CVE-2025-48734 as not affected (#29692)

https://fleetdm.slack.com/archives/C019WG4GH0A/p1748758788762129

security/status.md

@@ -85,6 +85,14 @@ Following is the vulnerability report of Fleet and its dependencies.
 
 ## `fleetdm/fleetctl` docker image
 
+### [CVE-2025-48734](https://nvd.nist.gov/vuln/detail/CVE-2025-48734)
+- **Author:** @lucasmrod
+- **Status:** `not_affected`
+- **Status notes:** The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers.
+- **Products:**: `fleetctl`,`pkg:golang/github.com/goreleaser/nfpm/v2`
+- **Justification:** `vulnerable_code_cannot_be_controlled_by_adversary`
+- **Timestamp:** 2025-06-02 07:33:44
+
 ### [CVE-2025-46569](https://nvd.nist.gov/vuln/detail/CVE-2025-46569)
 - **Author:** @lucasmrod
 - **Status:** `not_affected`

security/vex/fleetctl/CVE-2025-48734.vex.json

@@ -0,0 +1,26 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://openvex.dev/docs/public/vex-20dbacd4bcf9138d5605d33126398cab98f63e8ad61b283acdf8ed3013229437",
+  "author": "@lucasmrod",
+  "timestamp": "2025-06-02T07:33:44.249219-06:00",
+  "version": 1,
+  "statements": [
+    {
+      "vulnerability": {
+        "name": "CVE-2025-48734"
+      },
+      "timestamp": "2025-06-02T07:33:44.249223-06:00",
+      "products": [
+        {
+          "@id": "fleetctl"
+        },
+        {
+          "@id": "pkg:golang/github.com/goreleaser/nfpm/v2"
+        }
+      ],
+      "status": "not_affected",
+      "status_notes": "The fleetctl tool is used by IT admins to generate packages so the vulnerable code cannot be controlled by attackers",
+      "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
+    }
+  ]
+}