GitHub drops a stat that stops you cold: 4,101 reviewed advisories in 2025. Fewest since 2021.
Zoom out, though. Open source vulnerability trends aren’t screaming ‘victory.’ They’re whispering ‘backlog cleared, fresh hell incoming.’
Here’s the security analyst behind the GitHub Advisory Database — and CVE issuer — laying it bare:
Fewer advisories reviewed doesn’t mean fewer vulnerabilities were reported. The drop is because GitHub reviewed far fewer older vulnerabilities. When you look only at newly reported vulnerabilities from our sources, GitHub actually reviewed 19% more advisories year over year.
That 19% uptick in new reports? Brutal reality check. Unreviewed piles from the database’s early days are thinning out. No more low-hanging fruit. But reporters aren’t slacking — they’re churning out alerts on today’s code.
And those ‘unreviewed’ tags? Misleading as hell. Most got a quick scan, deemed irrelevant to supported ecosystems. They’ll sit forever. Upshot for you: fewer Dependabot pings on ancient bugs. (Finally.)
Why the Advisory Drought in 2025?
Blame efficiency. GitHub’s curators exhausted the old-vuln backlog. New ones? Holding steady or climbing.
Ecosystem split stays familiar — JavaScript, Ruby, Python dominate. Except Go. It’s overweight by 6% this year. Why? Internal audits unearthed gaps. Dedicated hunts for missing advisories in Go packages. Smart move, but it flags Go’s explosive growth — and its security growing pains.
Look closer at the CWE rankings. Cross-site scripting (CWE-79) clings to the top spot with 672 hits. No surprise there. But watch the climbers: resource exhaustion (CWE-400, CWE-770) exploding upward. Unsafe deserialization (CWE-502) jumps. Server-side request forgery (CWE-918) too.
Incorrect Authorization (CWE-863) vaults nine spots. Reclassifications from broader CWEs like 284 and 285 — the CWE overlords hate those vague parents now.
Big win: CWE tagging got precise. Advisories sans CWE plummeted 85%, from 452 to 65. CWE-20 (Improper Input Validation) still haunts, but now it’s paired — CWE-20 plus the real culprit. Actionable data. Triage gold.
Here’s the table that tells the tale:
| Rank | CWE | 2025 Advisories | Rank Change ‘24 | Rank Change DB |
|---|---|---|---|---|
| 1 | CWE-79 | 672 | +0 | +0 |
| 2 | CWE-22 | 214 | +2 | +1 |
| 3 | CWE-863 | 169 | +9 | +8 |
| 4 | CWE-20 | 154 | +1 | +1 |
| 5 | CWE-200 | 145 | -2 | -1 |
| 6 | CWE-400 | 144 | +4 | +0 |
| 7 | CWE-770 | 136 | +7 | +10 |
| 8 | CWE-502 | 134 | +5 | +1 |
| 9 | CWE-94 | 119 | -3 | -1 |
| 10 | CWE-918 | 103 | +5 | +8 |
(Note: Multiples count double.)
Is Open Source Actually Safer Now?
Hell no. Fewer reviews mask the storm. New vulns up 19%. Go’s bump hints at ecosystem adolescence — remember JavaScript’s XSS plague in the 2010s? Go’s next if supply-chain hustlers pivot.
My take: GitHub’s PR spin on ‘fewer alerts’ distracts from the grind. It’s backlog housekeeping, not safety triumph. Bold call — 2026 sees AI scanners auto-tag CWEs at scale, slashing triage time 50%. But only if maintainers adopt. Otherwise, exploit farms win.
Prioritize smart. CVSS gauges blast radius. EPSS bets on exploit odds in 30 days.
CVSS skews high — most vulns moderate-to-critical. Low ones? Underreported. EPSS backs ignoring them; real attacks hit high scores.
Cross-check with CISA’s Known Exploited list. Moderates exploited, sure. But CVSS floods criticals (many duds). EPSS tempers that. Stack ‘em for your dashboard.
npm? Nightmare fuel. Malware advisories leaped 69%. Blame SHA1-Hulud campaigns — mass infections via typosquatting, dependency confusion. npm’s 2M+ packages? Malware playground.
GitHub’s response: Aggressive scanning. But developers, you’re the line. Lock down scopes. Audit deps weekly.
Market dynamic here shifts hard. Open source powers 90% of cloud infra — AWS, Azure logs prove it. One unpatched CWE-918 in a Go microservice? Lateral movement jackpot for attackers.
Vendors smell blood. Snyk, Sonatype pitch premium scans. GitHub pushes Dependabot auto-triage by CWE. (Docs here if you’re game.)
But here’s the edge no one mentions: This CWE precision? It arms offensive AI. Red-team bots will fuzz CWE-502 deserialization en masse by Q4 ‘26. Defenders, train your models now.
Go’s overrep? Symptom of its dev boom — Docker, Kubernetes fuel it. Vulns follow adoption curves. Historical parallel: PHP’s SQLi era circa 2005. Go sidesteps that with memory safety? Nah, goroutines invite races (CWE-400).
Developers rejoice at fewer old alerts. But 19% more new ones demand vigilance. npm’s malware surge? Wake-up. Ecosystems mature unevenly.
GitHub’s data proves open source vulnerability trends stabilized on volume — not risk. Prioritize EPSS + CVSS. Tag precisely. Hunt malware.
Or watch your supply chain burn.
Why Does Go Dominate 2025 Advisories?
Overrep by 6%. Internal cleanup campaigns. But it’s growth pains — fast adoption breeds blind spots.
Short para.
Longer riff: As cloud-native stacks go all-in on Go (think Envoy proxies, etcd), attackers profile it. Resource exhaustion vulns spike because goroutines mask DoS vectors. Prediction: Nation-states target Go deps next, post-Log4Shell fatigue.
How to Slash Your Risk Tomorrow
Filter Dependabot by CWE. Stack scores. Ignore low EPSS.
npm tip: npm audit --audit-level=high. Block legacy SHA1 deps.
Teams: Mandate SBOMs. GitHub’s free — use it.
🧬 Related Insights
- Read more: Why Native E2E Tests Flake — And How to Make Them Rock-Solid
- Read more: Cloudflare Gen 13: Core Explosion, Cache Casualty
Frequently Asked Questions
What caused the drop in GitHub advisories for 2025? Fewer old vulnerabilities reviewed as the backlog clears; new reports rose 19%.
Are open source projects safer in 2025? No—new vulns are up, CWE tagging improved for better fixes, but threats like npm malware surged 69%.
Should I trust CVSS or EPSS for prioritization? Combine them: CVSS for impact, EPSS for exploit likelihood—matches CISA exploited vulns best.
