Vulnerabilities

CVE Blind Spot: EOL Software

May 6, 2026 00:03 · 12 min read
CVE Blind Spot: EOL Software

Introduction to the EOL Blind Spot

When considering end-of-life (EOL) open source software, security teams often focus on the lack of patches. However, this is only half the story, and arguably the less dangerous half. Two compounding problems are generally overlooked: the CVE ecosystem's inability to investigate unsupported versions and the industry's incorrect counting of EOL software.

The CVE Ecosystem's Limitations

When a vulnerability is discovered in an open source project, maintainers determine which versions are affected and file a CVE with a defined affected range. Every vulnerability scanner, SBOM tool, and CVE feed consumes that range. If a version falls outside it, no alert is triggered. EOL versions often fall outside this range by default due to the scale problem. According to Sonatype's 2026 State of the Software Supply Chain report, the global CVE count doubled in just five years, while the number of unscored CVEs increased 37x.

Maintainers are overwhelmed investigating and patching supported versions, and the investigative bandwidth required to cover older release lines is lacking. This results in EOL versions being omitted from advisories, contributing to false security confidence. Sonatype's research identified 167,286 false negatives, exploitable components that went entirely unflagged, in 2025 alone.

The Scale of the Problem

HeroDevs' EOL DS tracks end-of-life status across 12M+ package versions on npm, PyPI, Maven, NuGet, and other major registries. The data reveals that approximately 5.4 million package versions are end-of-life. However, the industry's most complete public source, endoflife.date, only accounts for ~7,000 of them. The breakdown by ecosystem is striking, with approximately 25% of npm package versions being EOL, followed by NuGet at 18%, Cargo at 13%, PyPI at 11%, and Maven Central at 10%.

Real-World Examples

Two recent critical vulnerabilities in the Spring ecosystem illustrate this issue. CVE-2026-22732, a critical vulnerability in Spring Security, causes security response headers to be silently dropped in certain servlet application configurations. The official affected range covers Spring Security 5.7.x through 7.0.x but does not include Spring Security 6.2.x, which reached EOL in December 2025. HeroDevs has confirmed that Spring Security 6.2.x is affected and has backported a fix for NES customers, but the upstream CVE record does not reflect this.

This is not an isolated incident. HeroDevs encounters this pattern consistently, finding that approximately 80% of the time, a new CVE disclosed on a supported package also affects an EOL version not listed as affected in the official CVE record.

Why This Is Getting Worse

The OSS ecosystem is scaling faster than the security infrastructure built to monitor it. npm alone recorded over 838,000 releases associated with critical CVSS 9.0+ scores in 2025, while PyPI download volume grew over 50% year over year. Every new package version that enters a registry is a future EOL version, and the EOL population grows continuously, while the investigative capacity to cover it does not.

The introduction of AI-assisted vulnerability research will further exacerbate this issue. While AI can accelerate defense for supported software, it will also surface findings in EOL versions that no maintainer is watching, widening the exposure gap for everything already left behind.

Conclusion

Organizations are profoundly underreporting their EOL exposure due to tooling limitations. HeroDevs estimates that the actual number of EOL package versions with known CVEs and no available fix path may be closer to >400,000 across all registries. The HeroDevs EOL Dataset can help organizations identify EOL packages in their stack, including transitive dependencies that scanners often miss.

By uploading an SBOM or running the CLI, organizations can get a report listing every EOL package in their stack, allowing them to take proactive measures to address potential vulnerabilities. As AI-assisted vulnerability research scales, the number of undisclosed vulnerabilities in uninvestigated EOL packages will only grow, making it essential for organizations to stay ahead of the curve.

Source: BleepingComputer

Source: BleepingComputer

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

🐛 Vulnerabilities

CISA Expands Vulnerability Reporting

CISA has created a new pathway for researchers to report vulnerabilities to its Known Exploited Vulnerabilities catalog, enhancing its ability to identify and share critical threat information.

May 22, 2026 04:01 · The Record 12 min read
🐛 Vulnerabilities

Open-Source Vulnerabilities Concern CISA Chief

CISA acting director Nick Andersen warns of the risks posed by open-source vulnerabilities and the need for urgent security improvements to prevent widespread attacks.

May 22, 2026 00:07 · CyberScoop 10 min read
🐛 Vulnerabilities

Chromium Flaw Exposes Browsers to Remote Code Execution

Google accidentally leaked details of an unfixed Chromium flaw that allows remote code execution on devices, impacting all Chromium-based browsers.

May 22, 2026 00:06 · BleepingComputer 12 min read