What caused the drop in GitHub advisories for 2025?

Fewer old vulnerabilities reviewed as the backlog clears; new reports rose 19%.

Are open source projects safer in 2025?

No—new vulns are up, CWE tagging improved for better fixes, but threats like npm malware surged 69%.

Should I trust CVSS or EPSS for prioritization?

Combine them: CVSS for impact, EPSS for exploit likelihood—matches CISA exploited vulns best.

Open Source Vulnerabilities Plateau in 2025: New Threats Surge Despite Fewer Alerts

GitHub reviewed just 4,101 advisories in 2025, the lowest since 2021. Don't pop the champagne—new vulnerabilities jumped 19%, and npm malware spiked 69%.

DevTools Feed Apr 02, 2026 4 min read

Line chart showing open source vulnerability advisories from 2021 to 2025 with CWE rankings inset

⚡ Key Takeaways

Reviewed advisories hit 4,101 in 2025 (lowest since 2021), but new vulnerabilities rose 19%. 𝕏
CWE-79 (XSS) still #1; resource exhaustion and deserialization climbed fast. 𝕏
npm malware advisories up 69%; Go ecosystem overrepresented by 6%. 𝕏

Published by

DevTools Feed

Ship faster. Build smarter.

#CVE trends 2025 #CVEs 2025 #GitHub Advisory Database #npm malware #open source vulnerabilities #open source vulnerability trends

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog

⚡ Key Takeaways

The 60-Second TL;DR

DevTools Feed

Share this article

Worth sharing?

Related Stories

One Forgotten Line: How Anthropic Handed Rivals Their $340 Billion AI Crown Jewels

MCP's Tool Permissions Wake-Up Call: Stop Handing Agents the Keys to Everything

The AI Research Engine That Ditches Google for 100+ Raw Data APIs

Gemma 4: Multimodal Hype Meets Real Hacking

Stay in the loop