- What is CWE-1395?
- The product has a dependency on a third-party component that contains one or more known vulnerabilities.
- What CVEs are caused by CWE-1395?
- 42 recorded CVEs are attributed to CWE-1395, including CVE-2025-15638, CVE-2025-12220, CVE-2025-12219.
- How do you prevent CWE-1395?
- In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
- How is CWE-1395 detected?
- Automated Analysis: For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWASP Dependency-Check [REF-1312]. Many languages or frameworks have package managers with similar capabilities, such as npm audit for JavaScript, pip-audit for Python, govulncheck for Go, and many others. Dynamic methods can detect loading of third-party components.
- What are the consequences of CWE-1395?
- Exploiting CWE-1395 can lead to: Varies by Context.
- Is CWE-1395 actively exploited?
- 42 recorded CVEs are caused by CWE-1395; none are currently in CISA's KEV catalog of actively exploited flaws.