Known CVEs in dependencies are the lowest-effort attack path for automated exploitation frameworks like Metasploit. CWE-1104 (Use of Unmaintained Third-Party Components) and OWASP A06 (Vulnerable and Outdated Components) document that most exploited CVEs have patches available — the delay between patch release and application is the attackers' window. NIST 800-53 SI-2 requires timely remediation of vulnerabilities. A high-severity CVE in express, next, or jsonwebtoken can affect every request and is actively targeted by scanners within hours of public disclosure.
Low because patching is straightforward once a CVE is known, but the risk scales directly with how long unpatched high/critical CVEs remain in production.
Check for CVEs immediately and set a 72-hour SLA for high/critical patches:
# Identify vulnerabilities
npm audit
# Auto-fix non-breaking patches
npm audit fix
# Review breaking changes manually before:
# npm audit fix --force
Merge Dependabot security PRs for high and critical severity within 72 hours. For CVEs with no available patch (upstream hasn't released a fix), evaluate whether the vulnerable code path is reachable and document the exception with a target remediation date.
ID: security-hardening.dependency-security.patch-timeliness
Severity: low
What to look for: List all dependencies with known CVEs (run npm audit or equivalent). For each CVE, run or check the results of npm audit, yarn audit, or Snyk to identify known CVEs in dependencies. Look at the severity level and age of vulnerabilities. Check if there are open Dependabot PRs that have been sitting unmerged for more than 30 days.
Pass criteria: Fewer than 1 high or critical CVE in current dependencies is older than 30 days unpatched. A process exists for reviewing and applying security patches within the 30-day window. Report: "X known CVEs found, Y patched within 30 days."
Fail criteria: High or critical CVEs present in dependencies that have been known for more than 30 days. No evidence of a patch review process.
Skip (N/A) when: The project was created within the last 30 days and no CVEs have had time to age.
Detail on fail: "npm audit reports 3 high severity CVEs — patches available but not applied" or "7 open Dependabot PRs with high-severity labels, oldest is 45 days old and unreviewed"
Remediation: Address known CVEs immediately:
# Check for vulnerabilities
npm audit
# Auto-fix what can be fixed safely
npm audit fix
# For major version bumps that may have breaking changes:
npm audit fix --force # Use with caution, test thoroughly
Set up a regular review cadence: check npm audit weekly, merge Dependabot PRs for high/critical CVEs within 72 hours.