Open Source Software Security Vulnerabilities Doubled in 2019 According to RiskSense Spotlight Report

Research Found a Nearly Two Month Lag between Public Disclosure and NVD Listing of Threats; Jenkins and MySQL are Most Weaponized

(Graphic: Business Wire)

SUNNYVALE, Calif.--()--RiskSense®, Inc., pioneering risk-based vulnerability management and prioritization, today announced the results of a new RiskSense Spotlight Report on vulnerabilities in leading open source software (OSS) being used in nearly 96 percent of all commercial codebases.

Among the report’s key findings, total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures (CVEs) in 2018 to 968 last year. The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database (NVD), averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious application security risks for almost two months. These very long lags were seen across all severities including vulnerabilities rated as ‘Critical’ and those that were weaponized, meaning those where an exploit is present in the wild.

“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”


The RiskSense Spotlight Report “The Dark Reality of Open Source” used a variety of factors to build the list of OSS projects to study, including popularity on GitHub, market value of companies based on specific open source projects (e.g., Elastic and Elasticsearch), as well as various OSS software lists such as the BOSS index. In total, the research dataset included 54 open source projects. Data from 2015 through the first three months of 2020 was gathered and analyzed, which yielded a total of 2,694 CVEs.

Report Highlights

Following are some of the key insights from the report:

2019 was a Record Year for OSS Vulnerabilities
The number of published open source CVEs more than doubled compared to any previous year. Vulnerabilities increased 130% between 2018 and 2019 (from 421 to 968 CVEs), and was 127% higher than 2017 (435). This increase does not appear to be a flash in the pan since the number of new CVEs has remained at historically high levels through the first three months of 2020.

NVD Disclosure Latency is Dangerously Long
Vulnerabilities in open source software are taking an extremely long time to be added to the U.S. NVD. The average time between the first public disclosure of a vulnerability and its addition to the NVD was 54 days. The longest observed lag was 1,817 days for a critical PostgreSQL vulnerability. 119 CVEs had lags of more than 1 year, and almost a quarter (24%) had lags of more than a month. These lags were consistent across all severities of vulnerabilities, with critical severity vulnerabilities having some of the longest average lag times.

Jenkins & MySQL Have the Most Vulnerabilities
The Jenkins automation server had the most CVEs overall with 646 and was closely followed by MySQL with 624. These two OSS projects also tied for the most weaponized vulnerabilities (those for which exploit code exists) with 15 each. By contrast, HashiCorp’s Vagrant only had 9 total CVEs, but 6 of them were weaponized, making it one of the most weaponized open source projects in terms of percentage. Meanwhile, Apache Tomcat, Magento, Kubernetes, Elasticsearch, and JBoss all had vulnerabilities that were trending or popular in real-world attacks.

Cross-Site Scripting & Input Validation are Tops in Weaponization
Cross-Site Scripting (XSS) and Input Validation weaknesses were both some of the most common and most weaponized types of weaknesses in the study. XSS issues were the second most common type of weakness, but were the most weaponized. Likewise Input Validation issues were the third most common and second most weaponized. Input Validation and Access Control issues were both common and were seen trending in real-world attacks.

Rare does not Equal Less Dangerous
Some weaknesses were far less common, yet remained very popular in active attack campaigns. Deserialization Issue (28 CVEs), Code Injection (16 CVEs), Error Handling Issues (2 CVEs), and Container Errors (1 CVE) were all seen trending in the wild. The fact that these issues are rare in OSS is a positive sign for the security of open source code, but also serves as a reminder that when problems do arise they can be attacked quite broadly.

Providing Real-World Context

Open source software now represents a significant percentage of the average organization’s attack surface. And while open source has many benefits, managing vulnerabilities can pose unique challenges. The goal of this report was to provide useful data that organizations can put to use in their development, IT, and security practices. This includes insights into individual open source projects including the specific vulnerabilities that pose the most immediate risk to an organization based on factors such as the cybersecurity impact and its active use in real-world attack campaigns.

A full copy of the report is available here.

About RiskSense

RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit or follow us on Twitter at @RiskSense.


John Dasher

Release Summary

Since open source software is used and reused everywhere, when vulnerabilities are found they can have incredibly far-reaching consequences.


John Dasher