OWASP Global AppSec Lisbon 2024

Transitive vulnerabilities are the most hated type of security issue by developers, and for a good reason: transitive dependencies are the most common source of vulnerabilities in software projects. However, yet still, only a tiny number of them are exploitable. This talk will present our research findings on quantifying the risk of known vulnerabilities in modern software applications. 


The prevalence of exploitable transitive dependencies in real-world applications. While each vulnerability may have a slight chance of exploitation, the sheer number of transitive dependencies amplifies the risk significantly. This data underscores the importance of our discussion and the need for effective strategies to mitigate these risks in your software projects.


We will present a PoC exploit for a real-world transitive dependency vulnerability and demonstrate how an attacker can compromise the application by exploiting a vulnerable transitive dependency.

We will discuss practical strategies for mitigating the risks associated with transitive dependencies and how to prioritize addressing them in your threat model.