Most critical vulnerabilities aren’t worth your attention

Web applications face a wide range of risks, including known-exploitable vulnerabilities, supply chain attacks, and insecure identity configurations in CI/CD, according to the Datadog State of DevSecOps 2025 report.

14% of Java services still contain at least one vulnerability

By analyzing a dataset of applications to identify known third-party vulnerabilities, it was found that 15% of services are vulnerable to known-exploited vulnerabilities, affecting 30% of organizations.

They are particularly prevalent among Java services, with 44% of applications containing a known-exploited vulnerability. The average number of applications with a known-exploited vulnerability among the other services in the report (Go, Python, .NET, PHP, Ruby and JavaScript) was only 2%.

In fact, 14% of Java services still contain at least one vulnerability, even when considering only high-impact vulnerabilities such as known remote code execution (RCE) issues like Log4Shell, Spring4Shell, and other commonly exploited attack vectors.

In addition to being more likely to contain high-impact vulnerabilities, Java applications are also patched more slowly than those from other programming ecosystems. Applications from the Java-based Apache Maven ecosystem took 62 days on average for library fixes, compared to 46 days for those in the .NET-based ecosystem and 19 days for applications built using npm packages, which are JavaScript-based.

88% of organizations received untargeted malicious HTTP requests, such as to /backup.sql, scanning for potentially exposed sensitive files or API routes.

To better understand the severity of a vulnerability, Datadog developed a prioritization algorithm that factored in runtime context to its Common Vulnerability Scoring System (CVSS) base score.

Adding in runtime context provided factors about a vulnerability—for example, whether the vulnerability was running in a production environment, or if the application in which the vulnerability was found was exposed to the internet—that CVSS did not take into account. This helped to reduce noise and identify the issues that are most urgent. After runtime context was applied, it was found that only 18% of vulnerabilities with a critical CVSS score—less than one in five—were still considered critical.

Attackers continue to target the software supply chain

Researchers identified thousands of malicious PyPI and npm libraries—some of these packages were malicious by nature and attempted to mimic a legitimate package (for instance, passports-js mimicking the legitimate passport library), a technique known as typosquatting. Others were active takeovers of popular, legitimate dependencies (such as Ultralytics, Solana web3.js, and lottie-player). These techniques are used both by state-sponsored actors and cybercriminals.

One of the most common causes of data breaches is long-lived credentials. Last year, 63% of organizations used a form of long-lived credential at least once to authenticate GitHub Actions pipelines. This year, that number dropped to 58%, a positive sign that organizations are slowly improving their credential management processes.

Across all programming languages, dependencies are months behind their latest major update. And those that are less frequently deployed are more likely to be using out-of-date libraries—dependencies in services that are deployed less than once a month are 47% more outdated than those deployed daily. This is an issue for developers as outdated libraries can increase the likelihood that a dependency contains unpatched, exploitable vulnerabilities.

“The report found that security engineers are wasting a lot of time on vulnerabilities that aren’t necessarily all that severe,” said Andrew Krug, Head of Security Advocacy at Datadog. “The massive amount of noise security teams have to deal with is a major issue because it distracts from prioritizing the really critical vulnerabilities. If defenders are able to spend less time triaging issues, they can reduce their organizations’ attack surface all the faster. Focusing on easily exploitable vulnerabilities that are running in production environments for publicly exposed applications will yield the greatest real-world improvements in security posture.”