Eighty-six percent of commercial codebases contain vulnerabilities, with 81% harboring high-or-critical-risk vulnerabilities, new research from Black Duck has revealed.
The 2025 Open Source Security and Risk Analysis (OSSRA) report drives home the massive risk posed by outdated and unmonitored open-source components. It reveals that the average number of open-source files in applications has tripled over the past four years, surging from 5300 in 2020 to over 16000 in 2024.
“The 2025 OSSRA report underscores a critical and ongoing challenge for organizations: managing the security and compliance risks inherent in open source software,” said Jason Schmitt, CEO of Black Duck. “As open source adoption continues to grow at an incredible velocity, businesses need to implement robust software composition analysis and risk management strategies to build trust into their applications, data, and intellectual property.”
Blind Spots in Open Source Security
For Mike McGuire, Senior Manager at Black Duck and OSSRA data advisor, the report’s most significant takeaway is the prevalence of blind spots in open-source dependency management.
According to the report, 90% of audited codebases contained open-source components over four years out of date. Outdated components expand organizations’ attack surfaces, heighten cyber threats, and introduce compliance issues.
“We’ve stressed for some time the importance of eliminating these blind spots, but that has become particularly important as more industries and consumers demand complete supply chain visibility,” he said.
The report also revealed that only 77% of dependencies could be identified via package manager scanning, meaning a significant portion of open-source components are being introduced through other means, including AI coding assistants. These blind spots are what lead to lingering unpatched vulnerabilities, outdated components, and license conflicts.
jQuery’s Persistent Vulnerabilities
jQuery emerged as a major culprit among the identified high-risk vulnerabilities, with eight of the top ten vulnerabilities linked to the widely used JavaScript library. In fact, 43% of the applications Black Duck scanned contained some version of jQuery, which was frequently an outdated version.
McGuire argues that “this doesn’t really say much about jQuery; it speaks to what most of the audited applications are doing.” Eric Schwake, Director of Cybersecurity Strategy at Salt Security, however, noted that “outdated open-source components, such as the prevalent yet vulnerable jQuery, significantly increase the attack surface.”
License Conflicts and Compliance Risks
License conflicts also emerged as a pressing issue. The OSSRA report found that 56% of audited codebases contained some form of license conflicts, largely due to transitive dependencies. Moreover, 33% of codebases included open-source components with no license or customized licenses, creating significant legal and compliance risks.
Trey Ford, CISO at Bugcrowd, stressed the importance of the Software Bill of Materials (SBOMs) in addressing these challenges. This must-read report underscores why SBOMs are a great thing,” he said. “Licensing is complicated – SBOMs lower the risk of surprise in M&A scenarios and can increase confidence in deal discussions,” he continued.
The Path Forward: Proactive Governance and Security Measures
Jason Soroko, Senior fellow at Sectigo, highlights the growing risk posed by unmaintained open-source components. “Open source software is both indispensable and dangerously neglected,” he warned. “With 86% of codebases harboring vulnerabilities and a tripling in open-source file counts over four years, modern applications have increased their attack surfaces without adequate oversight.”
Soroko stressed that traditional security measures are failing to keep up with the complexity of open-source software. “Traditional package scanning misses over 20% of dependencies, exposing blind spots introduced by alternate coding practices and even AI tools. This report isn’t just a wake-up call, but it’s a mandate for proactive governance.”
Schwake echoed this sentiment, arguing that these vulnerabilities directly affect APIs, which are often built upon and integrated with open-source components. When vulnerable libraries are utilized in APIs, those APIs inherit associated risks. Attackers can leverage these vulnerabilities to compromise API endpoints, access sensitive information without authorization, or disrupt services.
“This highlights the necessity for a strong approach to API Posture Governance. By undertaking thorough API discovery, organizations can locate all APIs, including those using open-source components, allowing for comprehensive vulnerability scanning and risk evaluation. Posture Governance facilitates establishing and enforcing security policies, ensuring APIs meet best practices regarding authentication, authorization, and data protection. By enhancing visibility into APIs within open-source software and applying security policies, organizations can substantially lower their attack surface and mitigate risks tied to vulnerable open-source dependencies,” he said.
What Organizations Can Do Now
In response to the report’s findings, McGuire offers the following recommendations:
- Embedded software providers must prioritize software quality, safety, and reliability, especially in critical industries like aerospace and healthcare.
- Independent software vendors (ISVs) should monitor and address license conflicts, given that more than half of audited codebases had licensing issues.
- Enterprise regulated organizations must improve SBOM accuracy and eliminate dependency blind spots before certifying their software.
Ultimately, considering the critical role open source software plays in modern applications, it’s clear that organizations must take swift action to patch vulnerabilities, update outdated components, and enforce strong governance practices. The 2025 OSSRA report emphasizes the urge need for improved transparency, dependency management, and security-first approaches to open source software usage.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
