GitHub's 2025 open source security data reveals 4,101 reviewed advisories (a four-year low), but the drop reflects fewer old vulnerabilities being backfilled rather than improved security. Newly reported vulnerabilities actually grew 19% year over year. npm malware advisories surged 69% due to large campaigns like SHA1-Hulud. GitHub's CNA published 2,903 CVEs, a 35% increase outpacing the overall CVE Project's 21% growth. CWE tagging quality improved significantly, with advisories lacking any CWE dropping 85%. Key vulnerability trends include rises in resource exhaustion, unsafe deserialization, and SSRF. The post also highlights how to use CVSS and EPSS scores together for better triage, and encourages developers to request CVEs, contribute advisory edits, and enable Dependabot malware alerting.
Table of contents
What is the GitHub Advisory Database?How vulnerabilities were distributed across ecosystems in 2025How the types of vulnerabilities changed in 2025How to prioritize your responseCVE publicationsOrganizations using GitHub’s CNATags:Written bySort: