GitHub reviewed 4,101 advisories in 2025, the fewest since 2021, but saw 19% more newly reported vulnerabilities. The drop reflects running out of older unreviewed CVEs, not fewer new issues. Malware advisories jumped 69%, while GitHub's CVE Numbering Authority grew 35% with 679 new organizations.
GitHub published 4,101 reviewed advisories in 2025, marking the fewest reviewed advisories since 2021. However, this decline doesn't indicate fewer vulnerabilities were reported. Instead, GitHub reviewed far fewer older vulnerabilities, while newly reported issues actually increased by 19% year over year. The drop reflects running out of unreviewed vulnerabilities older than the Advisory Database, not a decrease in new security issues.
The distribution of ecosystems in 2025 advisories closely mirrors the overall database, with one notable exception: Go is overrepresented by 6%. This is largely due to dedicated campaigns to re-examine potentially missing advisories found through internal reviews for packages with inconsistent coverage.
Cross-site scripting (CWE-79) remains the most common vulnerability type, but 2025 saw significant shifts in other areas. Resource exhaustion (CWE-400 and CWE-770), unsafe deserialization (CWE-502), and server-side request forgery (CWE-918) were unusually common. Incorrect Authorization (CWE-863) jumped significantly due to reclassification away from higher-level CWEs. One of the biggest quality improvements was more specific CWE tagging, with advisories lacking any CWE dropping 85% from 452 in 2024 to 65 in 2025.
For prioritization, GitHub provides both Common Vulnerability Severity Score (CVSS) and Exploit Prediction Scoring System (EPSS). While most vulnerabilities skew moderate to high in impact, combining both scores helps identify which vulnerabilities are most likely to be exploited. Analysis of CISA's Known Exploited Vulnerabilities Catalog shows that exploited vulnerabilities are at least scored moderate, with most being critical or high.
2025 was a massive year for npm malware advisories, with a 69% increase compared to 2024 due to large malware campaigns like SHA1-Hulud. This represents the most malware advisories GitHub has published since adding support in 2022.
GitHub's CVE Numbering Authority (CNA) saw 35% growth in published CVE records, outpacing the overall CVE Project's 21% increase. The trend shows 10-16% growth every quarter, and if this continues, GitHub will publish over 50% more CVEs in 2026. Notably, 2025 was the first year GitHub published more CVEs from organizations that don't use supported ecosystems than those that do.
Among the top 10 most prolific organizations using GitHub's CNA services, LabReDeS (WeGIA) led with 130 CVEs, followed by XWiki with 40 and Frappe with 28. Several organizations, marked with asterisks, published CVEs through GitHub for the first time in 2025.
Looking ahead to 2026, GitHub encourages developers to use CNA services, improve advisory accuracy through community contributions, protect projects with Dependabot and Advanced Security, and make vulnerability reporting easier through security policies and private reporting.
These numbers represent real security improvements for millions of developers, with 4,101 reviewed advisories, 7,197 malware advisories, 2,903 CVEs published, and 679 new organizations using GitHub's CNA services in 2025 alone.
Comments
Please log in or register to join the discussion