To help make sense of today’s open source vulnerability landscape, our research team recently crunched the numbers and published the “2021 State of Open Source Vulnerabilities.” The report leverages FOSSA’s Vulnerability Database to analyze trends and developments in open source security.

In this blog, we’ll break down four of the report’s most important takeaways, including particularly vulnerable languages and libraries.


Download the Report: The 2021 State of Open Source Vulnerabilities


1. Java and JavaScript are Frequent Targets

Java and JavaScript top our list of programming languages with the most identified vulnerabilities. Java has 44.48% of identified vulnerabilities, JavaScript 15.16%. This shouldn’t come as a huge surprise — both Java and JavaScript are extremely popular languages, meaning they generate more scrutiny and attract more security research.

Interestingly, in 2019, Python overtook Java as the second-most popular programming language, yet its share of vulnerabilities remains low. In contrast, Go’s growing popularity in 2017 and 2018 is reflected in its increase in exploit count.

2. Poor Input Validation is a Common Problem

CWE-79, also known as “Cross-Site Scripting,” was our most-found vulnerability in 2020. CWE-79 errors are prevalent in almost all web languages. CWE-20, which describes unvalidated inputs that alter the expected code output, was a close second.

Although CWE-79 and CWE-20 differ in that CWE-20 describes cases where arbitrary code is not executed, both vulnerabilities stem from situations where organizations don’t adequately sanitize their inputs. One common mistake is doing only client-side validation to perform bound-checking. While necessary and important for UI functionality and initial validation, it is not a substitute for server-side validation. As a best practice, input validation must be performed both on the client-side and server-side.

3. Cross-Site Scripting is on the Rise

As mentioned, CWE-79 (Cross-Site Scripting) was our most-found vulnerability in 2020. This was the latest in a trend we’ve witnessed related to a spike in CWE-79 occurrences. In fact, the average number of known CWE-79 vulnerabilities between 2018-2020 was nearly twice what it was in 2015-2017.

4. Open Source Libraries are Vulnerable, too

Jackson-databind, an extremely popular Java library for parsing JSON that’s used in many enterprise applications, tops our list of most vulnerable libraries. Next up is nokogiri, a Ruby library that parses HTML and XML input.

This is another area where we see the theme of malicious inputs; incorrect usage of inputs or unvalidated inputs are a source of many vulnerabilities, which explains why parsing libraries are often affected.

Get More Open Source Security Insights

Download the full 2021 State of Open Source Vulnerabilities report for a comprehensive look at today’s OSS security landscape. The report provides additional information on common CWEs and vulnerabilities in libraries and programming languages, along with guidance to help keep your organization’s software free of vulnerabilities.


Download the Report: The 2021 State of Open Source Vulnerabilities