Reviewed advisories hit a four-year low, malware advisories surged, and CNA publishing grew—here’s what changed.

The GitHub Blog provides updates, announcements, and insights from the world's leading software development platform, covering topics such as new features, community highlights, and industry trends. Developers can learn about GitHub's latest developments, best practices for collaboration, and tips for maximizing productivity on the platform.

GitHub Blog

GitHub's 2025 open source security data reveals 4,101 reviewed advisories (a four-year low), but the drop reflects fewer old vulnerabilities being backfilled rather than improved security. Newly reported vulnerabilities actually grew 19% year over year. npm malware advisories surged 69% due to large campaigns like SHA1-Hulud. GitHub's CNA published 2,903 CVEs, a 35% increase outpacing the overall CVE Project's 21% growth. CWE tagging quality improved significantly, with advisories lacking any CWE dropping 85%. Key vulnerability trends include rises in resource exhaustion, unsafe deserialization, and SSRF. The post also highlights how to use CVSS and EPSS scores together for better triage, and encourages developers to request CVEs, contribute advisory edits, and enable Dependabot malware alerting.

A year of open source vulnerability trends: CVEs, advisories, and malware

How vulnerabilities were distributed across ecosystems in 2025

How the types of vulnerabilities changed in 2025