Open Source Vulnerabilities in 2025: What the Data Actually Shows

TL;DR

• GitHub published 19% more advisories for new vulnerabilities in 2025, but total advisories dropped because they're running out of old unreviewed CVEs to backfill
• npm malware advisories jumped 69% year-over-year, driven by massive campaigns like SHA1-Hulud
• Resource exhaustion (CWE-400, CWE-770) and SSRF (CWE-918) vulnerabilities spiked significantly in 2025
• GitHub's CNA published 2,903 CVEs — a 35% increase — with 679 new organizations requesting CVE IDs for the first time

The Big Picture

GitHub published 4,101 reviewed advisories in 2025. That's the fewest since 2021. On the surface, this looks like good news — maybe open source is finally getting more secure?

Not quite. The drop isn't because fewer vulnerabilities exist. It's because GitHub has nearly exhausted the backlog of old, unreviewed CVEs that predate the Advisory Database itself. When you isolate newly reported vulnerabilities from GitHub's active feeds, the number actually grew 19% year-over-year.

This matters for developers because it changes what you'll see in Dependabot alerts. You should get fewer notifications about ancient vulnerabilities and more about current threats. The data also reveals which vulnerability types are surging, which ecosystems are most affected, and how to prioritize fixes when you're drowning in alerts.

The 2025 data shows three clear trends: malware is exploding in npm, resource exhaustion vulnerabilities are becoming more common across all ecosystems, and more maintainers are using GitHub's CNA services to publish CVEs — even for projects outside the traditional package ecosystems.

How It Works

The GitHub Advisory Database aggregates vulnerability data from multiple sources: the National Vulnerability Database (NVD), security advisories from package ecosystems, and direct reports from maintainers. Since its launch in 2019, it's become the canonical source for Dependabot alerts and dependency scanning across GitHub.

Here's the key distinction: "reviewed" advisories have been curated by GitHub's security team and mapped to specific package versions in supported ecosystems (npm, PyPI, Maven, Composer, Go, RubyGems, NuGet, Rust, Swift, Erlang, and GitHub Actions). "Unreviewed" advisories are CVEs that either don't affect supported ecosystems or haven't been triaged yet.

In 2025, GitHub reviewed 3,734 advisories from active feeds — up from 3,142 in 2024. But they only backfilled 367 old advisories, down from 2,093 the year before. The backfill campaigns are winding down because there simply aren't many pre-2019 CVEs left to process.

The ecosystem distribution stayed mostly stable. Maven leads at 22.24% of reviewed advisories, followed by Composer (19.4%), Go (17.33%), Pip (17.16%), and npm (14.92%). Go saw a 6% bump due to internal campaigns to fill coverage gaps.

Vulnerability types shifted noticeably. Cross-site scripting (CWE-79) remains the most common at 672 advisories, but resource exhaustion vulnerabilities (CWE-400 and CWE-770) jumped significantly. CWE-770 specifically moved up 10 spots in the overall rankings. Server-side request forgery (CWE-918) and unsafe deserialization (CWE-502) also became more prevalent.

The biggest quality improvement: advisories without any CWE classification dropped 85%, from 452 in 2024 to just 65 in 2025. GitHub's curation team also started assigning multiple CWEs per advisory instead of defaulting to generic categories like CWE-20 ("Improper Input Validation"). This specificity makes it easier to filter Dependabot alerts using auto-triage rules.

For malware, the story is dramatic. GitHub published 7,197 malware advisories in 2025 — a 69% increase over 2024. The SHA1-Hulud campaign alone accounted for a massive portion of this spike. Dependabot now detects malware in npm dependencies and alerts you when your projects depend on packages with known malicious versions.

GitHub's role as a CVE Numbering Authority (CNA) also expanded. They published 2,903 CVEs in 2025, up 35% from 2024. Growth was consistent across all four quarters, ranging from 10% to 16% per quarter. For the first time, more than half of GitHub's published CVEs (1,480) came from projects that don't publish to supported package ecosystems — meaning maintainers of C libraries, Rust crates not on crates.io, or internal tools are increasingly using GitHub to request CVE IDs.

What This Changes For Developers

If you maintain open source projects, you should see fewer Dependabot alerts about vulnerabilities from 2018 or earlier. The backfill noise is gone. What remains are current threats that actually matter.

The rise in resource exhaustion vulnerabilities (CWE-400, CWE-770) means you need to pay closer attention to how your dependencies handle untrusted input. These aren't just theoretical DoS risks — they're showing up in real advisories at a much higher rate than previous years. If you're running services that parse user-uploaded files, process webhooks, or handle API requests, audit your dependencies for these CWE types.

The malware surge in npm is a wake-up call. If you're not already using Dependabot malware alerts, enable them now. The 69% increase isn't a blip — it reflects organized campaigns targeting the npm ecosystem. Typosquatting, dependency confusion, and compromised maintainer accounts are all active threats.

For prioritization, GitHub provides both CVSS (severity) and EPSS (exploit likelihood) scores. The data shows that most exploited vulnerabilities in CISA's Known Exploited Vulnerabilities catalog score at least "moderate" on CVSS, with the majority rated critical or high. EPSS scores skew low for most vulnerabilities, but when a vulnerability scores high on both CVSS and EPSS, it's a strong signal to prioritize remediation.

If you maintain a project and haven't set up a security policy, do it. GitHub's CNA services are free and fast — you can request a CVE directly from a repository security advisory. In 2025, 679 organizations used GitHub's CNA for the first time, including projects like FreeScout and DNN Software. The top publisher was LabReDeS (WeGIA) with 130 CVEs.

GitHub's Advanced Security tools integrate directly with the Advisory Database, so enabling Dependabot security updates gives you automatic pull requests when fixes are available. You can also configure auto-triage rules to filter alerts by CWE, severity, or ecosystem.

Try It Yourself

Enable Dependabot security updates in your repository settings under "Code security and analysis." For malware detection in npm projects, ensure Dependabot alerts are enabled — malware scanning is now included by default.

To filter Dependabot alerts by CWE, use auto-triage rules in your repository settings. For example, you can auto-dismiss alerts for CWE-20 (Improper Input Validation) if they don't include more specific CWEs, or prioritize CWE-918 (SSRF) and CWE-502 (Unsafe Deserialization) given their increased prevalence.

If you maintain a project, add a SECURITY.md file to your repository to define your vulnerability disclosure policy. Enable private vulnerability reporting so researchers can report issues securely. When you publish a repository security advisory, check the box to request a CVE ID — GitHub will handle the rest.

To contribute to the Advisory Database, visit github.com/advisories and search for unreviewed advisories in your ecosystem. If you find one that affects a supported package, click "Suggest improvements" and submit your edits. In 2025, 675 community contributions improved the database.

The Bottom Line

Use this data to adjust your security posture. If you're working in npm, treat malware scanning as non-negotiable — the 69% increase in malware advisories isn't slowing down. If you maintain infrastructure or API services, prioritize resource exhaustion and SSRF vulnerabilities — they're spiking across ecosystems.

Skip the backfill noise. The drop in total advisories is a good thing — it means Dependabot will surface fewer ancient CVEs and more actionable threats. If you're still seeing alerts for pre-2019 vulnerabilities, they're likely legitimate gaps that need attention.

The real opportunity here is GitHub's CNA services. If you maintain any open source project — even outside the major package ecosystems — you can request CVE IDs for free. This isn't just bureaucracy; it's how the industry tracks and responds to vulnerabilities. The 35% growth in CVE publications shows more maintainers are taking this seriously. You should too.

Source: GitHub Blog