What caused the drop in GitHub advisories for 2025?

Mostly clearing old, irrelevant vulns—new ones rose 19%.

Why is CWE-79 still king in open source vulns?

XSS everywhere; web apps gonna web.

How bad is npm malware in 2025?

69% jump from campaigns like SHA1-Hulud—scan ruthlessly.

Open Source Vulnerabilities Hit Four-Year Low in 2025: Backlog Cleared, But New Threats Surge

GitHub reviewed just 4,101 open source advisories in 2025—the fewest since 2021. But don't pop the champagne; new vulnerabilities jumped 19%, signaling no safety net yet.

Open Source Beat Apr 07, 2026 3 min read

Line chart showing decline in GitHub reviewed open source advisories from 2021-2025 with new vuln spike

⚡ Key Takeaways

Reviewed advisories hit 4-year low at 4,101, but new vulns up 19% YoY. 𝕏
CWE shifts: Resource exhaustion and SSRF surged; tagging improved 85%. 𝕏
npm malware spiked 69%; prioritize EPSS + CVSS for real threats. 𝕏

Published by

Open Source Beat

Community-driven. Code-first.

#CVE 2025 #CVE trends 2025 #CWE trends #GitHub Advisory Database #GitHub advisories #npm malware #open source vulnerabilities #open source vulnerability trends

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog

⚡ Key Takeaways

The 60-Second TL;DR

Open Source Beat

Share this article

Worth sharing?

Related Stories

GitHub's Supply Chain Security Push: Real Fixes or Microsoft PR Polish?

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Anthropic's One-Line Fumble Leaks Billions in Code

Warden v2.0: Free CLI That Sniffs Out Malicious npm Packages in Seconds

Stay in the loop