CWE-1395: Dependency on Vulnerable Third-Party Component
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
Last updated
Overview
Many products are large enough or complex enough that part of their functionality uses libraries, modules, or other intellectual property developed by third parties who are not the product creator. For example, even an entire operating system might be from a third-party supplier in some hardware products. Whether open or closed source, these components may contain publicly known vulnerabilities or hidden functionality such as malware that could be exploited by adversaries to compromise the product.
Real-world CVEs
42 recorded CVEs are caused by CWE-1395 (Dependency on Vulnerable Third-Party Component). The highest-severity and most recent are shown first. 18 new CWE-1395 CVEs have been recorded so far in 2026 (16 in 2025).
- CVE-2025-15638
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt
Critical · CVSS 10.0 · EPSS 43th2026-04-21 - CVE-2025-12220
Busybox 1.31.1 - Multiple Known Vulnerabilities
Critical · CVSS 10.0 · EPSS 26th2025-10-25 - CVE-2025-12219
Vulnerable Components in Azure Access OS
Critical · CVSS 10.0 · EPSS 26th2025-10-25 - CVE-2025-31973
HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version'
Critical · CVSS 9.8 · EPSS 7th2026-05-20 - CVE-2025-59851
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability
Critical · CVSS 9.8 · EPSS 11th2026-05-06 - CVE-2026-4176
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib
Critical · CVSS 9.8 · EPSS 48th2026-03-29 - CVE-2026-3257
UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library
Critical · CVSS 9.8 · EPSS 33th2026-03-05 - CVE-2026-3381
Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib
Critical · CVSS 9.8 · EPSS 42th2026-03-05 - CVE-2025-15444
Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium
Critical · CVSS 9.8 · EPSS 13th2026-01-06 - CVE-2022-4976
Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities
Critical · CVSS 9.8 · EPSS 27th2025-06-12 - CVE-2025-40912
CryptX for Perl before version 0.065 contains a dependency that may be susceptible to malformed unicode
Critical · CVSS 9.8 · EPSS 27th2025-06-11 - CVE-2025-40914
Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow
Critical · CVSS 9.8 · EPSS 36th2025-06-11
Showing 12 of 42 recorded CWE-1395 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1395 vulnerabilitiesCommon consequences
What can happen when CWE-1395 is exploited.
Varies by Context
Affects: Confidentiality, Integrity, Availability
The consequences vary widely, depending on the vulnerabilities that exist in the component; how those vulnerabilities can be "reached" by adversaries, as the exploitation paths and attack surface will vary depending on how the component is used; and the criticality of the privilege levels and features for which the product relies on the component.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1395, grouped by where in the lifecycle they apply.
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
How to detect it
Automated Analysis
For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The "SweynTooth" vulnerabilities in Bluetooth Low Energy (BLE) software development kits (SDK) were found to affect multiple Bluetooth System-on-Chip (SoC) manufacturers. These SoCs were used by many products such as medical devices, Smart Home devices, wearables, and other IoT devices. [REF-1314] [REF-1315]
log4j, a Java-based logging framework, is used in a large number of products, with estimates in the range of 3 billion affected devices [REF-1317]. When the "log4shell" (CVE-2021-44228) vulnerability was initially announced, it was actively exploited for remote code execution, requiring urgent mitigation in many organizations. However, it was unclear how many products were affected, as Log4j would sometimes be part of a long sequence of transitive dependencies. [REF-1316]
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2025-45612 — product uses a vulnerable version of an authentication framework, allowing authentication bypass
Terminology & mappings
Mapped taxonomies
- ISA/IEC 62443: Req CR 2.4 (Part 4-2)
- ISA/IEC 62443: Req CR 6.2 (Part 4-2)
- ISA/IEC 62443: Req CR 7.2 (Part 4-2)
- ISA/IEC 62443: Req SM-9 (Part 4-1)
- ISA/IEC 62443: Req SM-10 (Part 4-1)
- ISA/IEC 62443: Req SR-2 (Part 4-1)
- ISA/IEC 62443: Req DM-1 (Part 4-1)
- ISA/IEC 62443: Req DM-3 (Part 4-1)
- ISA/IEC 62443: Req DM-4 (Part 4-1)
- ISA/IEC 62443: Req SVV-1 (Part 4-1)
- ISA/IEC 62443: Req SVV-3 (Part 4-1)
Frequently asked questions
Common questions about CWE-1395.
- What is CWE-1395?
- The product has a dependency on a third-party component that contains one or more known vulnerabilities.
- What CVEs are caused by CWE-1395?
- 42 recorded CVEs are attributed to CWE-1395, including CVE-2025-15638, CVE-2025-12220, CVE-2025-12219.
- How do you prevent CWE-1395?
- In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
- How is CWE-1395 detected?
- Automated Analysis: For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
- What are the consequences of CWE-1395?
- Exploiting CWE-1395 can lead to: Varies by Context.
- Is CWE-1395 actively exploited?
- 42 recorded CVEs are caused by CWE-1395; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1395) (opens in a new tab)
- CWE-1395 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1395
Get alerted the moment a new CWE-1395 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.