Fulton, Md., Nov. 20, 2025 (GLOBE NEWSWIRE) -- Sonatype®, the leader in AI-driven DevSecOps, today released a new report, “Trust Issues: The CVE Crisis,” revealing that the world’s most widely used vulnerability index — the Common Vulnerabilities and Exposures (CVE) system — struggles to keep pace with the realities of modern software development. The study analyzed 1,552 open source vulnerabilities disclosed in 2025 and found that nearly two-thirds (64%) lacked severity scores from the National Vulnerability Database (NVD).
The study from Sonatype Security Research exposes widespread inaccuracies and delays in the global CVE system that organizations, security professionals, and generative and agentic AI tools rely on to prioritize and remediate risk. Key takeaways from the study include:
- Coverage is collapsing: Only 36% of open source CVEs had a CVSS score assigned by the NVD, meaning teams are only able to effectively triage in one third of cases. Upon review by Sonatype, nearly half of all unscored vulnerabilities were scored in the Critical or High range.
- Accuracy is unreliable: Of the CVEs that were scored, fewer than 1 in 5 severity ratings were correct; 62% of NVD scores overstated severity while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records — wasting developer time and obscuring real threats.
- Timeliness is deteriorating: 2025 saw a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks. This signals that the CVE/NVD pipeline can’t keep pace with today’s exploit timelines, turning “official” data into an operational bottleneck.
“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and Co-founder of Sonatype. “Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment. CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”
The security community urgently needs to move beyond indexing to real-time intelligence. Sonatype is already leading that shift with Nexus One, its newly launched AI-native DevSecOps platform that brings together open source intelligence, governance, malware defense, and dependency automation into a single, agentic infrastructure. Built on more than 15 years of curated OSS intelligence and advanced machine learning, Nexus One delivers 10 times faster insights than the NVD and enables organizations to remediate risk 30% faster on average.
“The findings from our CVE study underscore exactly why Nexus One exists,” said Bhagwat Swaroop, CEO of Sonatype. “Traditional systems can’t keep up with the scale and sophistication of open source risk associated with gen AI and agentic AI development. Nexus One gives enterprises the intelligence, automation, and visibility they need to innovate securely — turning what used to be a bottleneck into a competitive advantage.”
To download Trust Issues: The CVE Crisis, visit https://www.sonatype.com/resources/research/the-cve-crisis.
About Sonatype
Sonatype is the leader in AI-driven DevSecOps. As the maintainers of Maven Central and creators of Nexus Repository, Sonatype has spent two decades pioneering how the world manages and secures open source software — making Sonatype the trusted authority for modern software supply chains. With unmatched open source visibility and a unified product suite built for modern software development, Sonatype gives enterprises the intelligence and automated governance they need to harness the full potential of open source and AI. Sonatype handles the complexity behind the scenes: guiding component and model selection, blocking harmful malicious code, automating dependency and vulnerability management, and ensuring faster, more reliable builds — so developers spend more time on innovation and less time on remediation and rework. Trusted by more than 15 million developers, Sonatype helps power secure, modern software development at nearly 2,000 global organizations including 70% of the Fortune 100. To learn more about Sonatype, please visit www.sonatype.com.
Methodology
This whitepaper is based on Sonatype’s 2025 analysis of 1,552 open source CVEs drawn from multiple publicly available and proprietary data. The study focused on vulnerabilities disclosed between January 1, 2025 and September 30, 2025, comparing their metadata and CVSS scoring across the National Vulnerability Database (NVD) and Sonatype’s internal vulnerability intelligence platform.
Sonatype Security Research Team evaluated each open source CVE record on four criteria:
- NIST-generated CVSS scores and how they compare with Sonatype analysis
- False positives included in advisory data
- False negatives omitted from advisory data
- Time between public CVE disclosure and NVD analysis
While the study emphasizes open source vulnerabilities, the patterns identified — coverage gaps, scoring inconsistencies, and delays — are representative of systemic issues affecting the broader CVE ecosystem.
Data was verified as of October 1, 2025. All quantitative results are rounded to the nearest whole percentage for clarity.
Megan Schmidt Sonatype press@sonatype.com