Upcoming change to the Match Criteria API (/cpematch/) resultsPerPage limit

As part of ongoing efforts to increase the reliability and general responsiveness of the 2.0 APIs, the NVD will be making a change to the Match Criteria API. Specifically, we will be reducing the default and maximum resultsPerPage allowed from 5,000 to 500.

Why does this matter?
Any implementations that leverage the /cpematch/ endpoint and are configured to expect more than the new limit of 500 results per page may not function as expected after this change goes into effect. We plan to make this change on April 15th, 2024. After that time, the 2.0 /cpematch/ API will no longer return more than 500 results per page and will not accept resultsPerPage parameter values greater than 500.

Why is this change needed?
CPE Match Criteria within the NVD dataset typically match zero to one hundred CPE Names within the CPE Dictionary. However, some CPE Match Criteria can match thousands or tens of thousands of CPE Names. Due to the drastically variable volume of CPE Name matches possible for a single CPE Match Criteria, the amount of data returned per page for large API calls can become excessive. The CPE Dictionary will continue increasing in coverage going forward, making this is a necessary change for the function of the 2.0 /cpematch/ APIs.

For questions and concerns you may contact nvd@nist.gov.