Open Source Vulnerabilities: 2025 Trends

The landscape of open source security saw significant shifts in 2025. GitHub's latest report reveals a notable decrease in reviewed advisories, but this masks a more complex reality. Fewer old vulnerabilities were processed, while new ones continued to emerge.

In 2025, GitHub published 4,101 reviewed advisories, the lowest figure since 2021. However, this drop is attributed to a backlog clearance rather than fewer reported issues. When considering only newly reported vulnerabilities, GitHub actually reviewed 19% more advisories year over year, indicating sustained vulnerability discovery.

The GitHub Advisory Database, a critical resource since its 2019 inception, saw its pool of unreviewed older vulnerabilities diminish. This means developers may see fewer Dependabot alerts for long-past issues. The platform emphasized that "unreviewed" often signifies advisories that don't impact supported ecosystems.

Ecosystem Vulnerability Shifts

While most ecosystems maintained their usual distribution of vulnerabilities, Go experienced a notable increase in representation within 2025 advisories. This surge is linked to focused campaigns re-examining potential gaps in advisory coverage.

Evolving Vulnerability Types

Cross-site scripting (CWE-79) remained the most prevalent vulnerability. However, 2025 saw significant increases in resource exhaustion (CWE-400, CWE-770), unsafe deserialization (CWE-502), and server-side request forgery (CWE-918) vulnerabilities. Incorrect authorization (CWE-863) also jumped, largely due to reclassification from broader CWE categories.

A key improvement was more precise CWE tagging. Advisories lacking any CWE designation dropped by 85%, leading to more actionable data for triage and remediation. This specificity aids in understanding concrete failure modes beyond general input validation issues.

Prioritizing Response

GitHub highlights the combined use of Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) for risk assessment. While CVSS measures impact, EPSS estimates the likelihood of exploitation. Combining these scores helps prioritize critical vulnerabilities that are both severe and likely to be exploited.

Malware Advisories Skyrocket

2025 was a landmark year for npm malware advisories. A 69% increase compared to 2024, driven by campaigns like SHA1-Hulud, marked the highest volume since GitHub added malware support in 2022. Dependabot alerts can now notify users of malicious npm package versions.

GitHub's Growing Role as a CNA

GitHub's own CVE Numbering Authority (CNA) saw a substantial 35% increase in published CVE records, outpacing the overall CVE Project's growth. This trend suggests GitHub will publish significantly more CVEs in the coming years. Organizations are increasingly leveraging GitHub's CNA services, with a 20% rise in new entities requesting CVE IDs.

Exploring GitHub's AI Scans for High-Impact Bugs offers a look at proactive measures in this evolving landscape.

The ongoing evolution of security practices, including advancements in tools like GitHub Copilot Agent Gets Smarter, is crucial for navigating these complex challenges in open source vulnerability trends 2025. Understanding these trends is vital for securing the software supply chain, as detailed in discussions around IBM Expert Details Top 10 Agent Security Risks.