What is a Transitive Package Vulnerability? Real Examples and How to Fix Them

April 1, 2026 · PackageFix · 8 min read

Transitive vulnerabilities are CVEs in packages your app does not directly depend on - but pulls in indirectly through another package. They are harder to find, harder to fix, and account for the majority of CVEs in most production applications.

Direct vs transitive dependencies

Your package.json lists your direct dependencies - the packages you chose to install. Each of those packages has its own dependencies, which have their own dependencies, and so on. The full tree can contain hundreds of packages from a handful of direct dependencies.

A direct dependency vulnerability is straightforward: update the package in your package.json. A transitive vulnerability is more complex: you do not control that package directly - it is managed by one of your direct dependencies.

Your app
  express 4.17.1   (direct)
    qs 6.5.2       (transitive - CVE-2022-24999)
      ---> VULNERABLE

Real example: qs via Express

CVE-2022-24999 is a prototype pollution vulnerability in the qs query string library. Most developers who had this vulnerability had never heard of qs - it was pulled in automatically by Express to parse HTTP query strings.

npm audit flagged it. But updating qs directly in package.json did nothing - Express controlled which version of qs it used. The fix required either updating Express to 4.18.0+ (which bundled a safe qs) or using an npm override.

The fix - npm overrides

// package.json
{
  "dependencies": {
    "express": "4.17.1"
  },
  "overrides": {
    "qs": "6.11.0"
  }
}

Real example: minimist - the CVE that was everywhere

CVE-2021-44906 (CVSS 9.8, CISA KEV) is a prototype pollution in minimist - a tiny argument parser. minimist itself is almost never a direct dependency. But it was a transitive dependency of npm, webpack, mocha, eslint, and thousands of other tools.

Running npm ls minimist on a typical Node.js project in 2022 would show minimist appearing 20-30 times, pulled in from different parent packages at different levels. The only practical fix was an npm override forcing the safe version across the entire tree.

// package.json
{
  "overrides": {
    "minimist": "1.2.6"
  }
}

Real example: Log4Shell - the transitive CVE that broke the internet

CVE-2021-44228 (Log4Shell, CVSS 10.0) is the most severe transitive vulnerability ever discovered. Log4j was a logging library - most Java applications that had it did not know they had it. It was a transitive dependency of thousands of enterprise Java frameworks.

Organizations that did not know their full dependency tree had no idea they were vulnerable. This incident more than any other drove adoption of SBOMs and dependency scanning tools.

How PackageFix handles transitive vulnerabilities

Paste your manifest and lockfile into PackageFix. The lockfile contains the full resolved dependency tree including all transitive packages. PackageFix scans every package in the tree against OSV and CISA KEV, shows the dependency path for each vulnerability, and generates the npm overrides block to fix transitive CVEs where no parent update is available.

Paste your manifest — PackageFix scans every dependency against OSV and CISA KEV instantly.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How do I find transitive vulnerabilities?

npm audit and pip audit show transitive vulnerabilities but don't always make it clear which direct dependency is pulling in the vulnerable package. PackageFix shows the full dependency path: Your App -> express -> qs -> [vulnerable version]. You can also run npm ls [package-name] to see which packages pull in a specific dependency.

Can npm audit fix transitive vulnerabilities automatically?

npm audit fix --force can sometimes resolve transitive vulnerabilities by upgrading the parent package. But if the parent package hasn't released a version that uses the safe transitive version, npm audit fix won't help. That's when npm overrides are the solution.

What is an npm override and when should I use it?

An npm override forces a specific version of a package regardless of what parent packages request. Use it when a transitive dependency has a CVE but the parent package hasn't released a fix yet. Add it to your package.json overrides field. PackageFix generates the exact overrides block you need.

Are transitive vulnerabilities actually exploitable?

It depends on whether the vulnerable code path is reachable from your application - this is called reachability analysis. A CVE in a package your app never calls is technically present but may not be practically exploitable. CISA KEV entries are confirmed exploited in real attacks regardless of reachability.

How many levels deep can transitive dependencies go?

In large Node.js projects, dependency trees commonly go 10-15 levels deep. A vulnerability at any level can affect your application. The minimist CVE (CVE-2021-44906) affected thousands of packages because minimist was a transitive dependency 5-8 levels deep in many common tools.