Application security, DevSecOps, Vulnerability Management, Patch/Configuration Management, Critical Infrastructure Security, Supply chain

Open-source vulnerabilities per codebase surge by 107%

The average number of open-source vulnerabilities in commercial codebases increased by a history-making 107% in 2024, Black Duck’s 2026 Open Source Security and Risk Analysis (OSSRA) report revealed Wednesday.

The increase in vulnerabilities correlates with an overall increase in codebase size and complexity, with the average number of files per codebase increasing by 74% and the average number of open-source components increasing by 30%.

Black Duck cited the rise of AI coding assistants as a likely driver of an unprecedented surge in overall code volume between 2023 and 2025, as well as one of many factors in the correlating increase in vulnerabilities.

The OSSRA report is based on audits of 947 codebases across 17 industries, totaling 2,843 individual projects, between November 2024 and October 2025. Code bases are scanned against Black Duck’s KnowledgeBase, which includes data from more than 10 million open-source projects and 317,000 open-source vulnerabilities.

Codebases contain 237 unique vulnerabilities on average

The overall proportion of codebases containing at least one vulnerability remained mostly steady year-over-year, from 86% in 2024 to 87% in 2025, but the average number of vulnerabilities more than doubled, and the average number of unique vulnerabilities increased 54%.


Related reading:


The overall vulnerability count can include the same vulnerability present in multiple parts of a codebase, while unique vulnerabilities refers to the number of distinct vulnerabilities (i.e. CVEs) across the entire codebase.

On average, codebases contained 581 vulnerabilities and 237 unique vulnerabilities in 2025, with the maximum vulnerabilities in a single codebase reaching 38,998. The median number of vulnerabilities was 78, a 32% increase from the previous year.

“While 581 vulnerabilities per application sounds dramatic, it’s largely transitive dependency sprawl, inherited multiple layers deep,” Saumitra Das, vice president of engineering at Qualys, noted in comments to SC Media. “The 107% year-over-year increase reflects compounding complexity, not careless development.”

The most common CVEs were CVE-2020-11022 and CVE-2020-11023, two medium-severity cross-site scripting (XSS) flaws in jQuery, each present in 28% of codebases. CVE-2020-11023 was added to the Cybersecurity and Infrastructure Security Agency’s Know Exploited Vulnerabilities (CISA KEV) catalog in January 2025.

Despite the overall increase in vulnerabilities, the average number of codebases containing high-severity and critical vulnerabilities decreased by 3 and 4 percentage points, respectively, between 2024 and 2025. Still, critical vulnerabilities were found in 44% of codebases, and high-severity flaws in 78%.

AI was considered to be one potential factor in the increase in open-source vulnerabilities present, as it increases the pace of development and therefore the rate at which new dependences are added to codebases, according to Black Duck. AI is also more likely to suggest popular and well-established open-source libraries with more documented vulnerabilities due to their widespread use and increased scrutiny.

“There are no rules that AI-assisted growth has to follow. It adds code, dependencies, and architectural choices at a speed that is faster than what standard review and fix processes can handle,” Randolph Barr, CISO at Cequence Security, told SC Media. “The growing gap between the speed of innovation and the maturity of governance is what I find most important.”

Another likely factor in the increase is the overall increase in open-source vulnerability disclosures during the study time period, partly driven by the addition of the Linux Kernel team as a CVE Numbering Authority (CNA) in early 2024. As a result, more than 5,000 Linux Kernel vulnerabilities were disclosed during the auditing period, the report notes.

Outdated open-source components could pose EU compliance issues

The OSSRA report also examined the prevalence of outdated and unmaintained open-source dependencies and how this “maintenance debt” could impact compliance with the EU Cyber Resilience Act (CRA), which goes into effect in September 2026.

While year-over-year increases in codebases with outdated and unmaintained components were relatively small, the overall volume of codebases affected by these issues remains concerning. Ninety-two percent of codebases included components that were four or more years out of date, and 93% included components with no development activity for at least two years.

Additionally, 92% of codebases included components that were 10 or more versions behind the current version. Overall, only 7% of components across all codebases were running the latest version, and 41% of components were at least 10 versions behind. More than two-thirds (68%) of components across all codebases were more than two years old.

The EU CRA will require manufacturers of digital products in the European market to address vulnerabilities throughout the product’s support period and report exploitable vulnerabilities within its products within 24 hours of becoming aware of its exploitability.

In order to stay in compliance with these requirements, organizations will need to continuously track the status of open-source components, maintain current software bills of material (SBOMs) and have robust vulnerability response processes, the OSSRA report outlines. For unmaintained, vulnerable “zombie components,” organizations must decide whether to replace these components, patch the vulnerabilities themselves or accept the risk of potential penalties.

“For security teams, visibility is non-negotiable. Organizations must know exactly what is in their software, including open source components, transitive dependencies, and embedded AI models,” Diana Kelley, CISO at Noma Security, said in an email to SC Media. “Accurate, continuously updated SBOMs and AI BOMs, along with automated vulnerability and license management, are baseline requirements.”  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds