CISA Known Exploited Vulnerabilities — Open Source Packages

Packages currently on the CISA KEV catalog that PackageFix can detect and fix. The CISA KEV catalog lists vulnerabilities confirmed to be actively exploited in the wild. Fix these first.

Exploited Open Source Packages (24 packages)

Package	Ecosystem	CVE ID	Severity	Description	Fix
lodash	npm	CVE-2020-8203	HIGH	Prototype pollution via zipper merge	Fix guide →
qs	npm	CVE-2022-24999	HIGH	Prototype pollution via query string	Fix guide →
axios	npm	CVE-2023-45857	HIGH	SSRF via protocol-relative URL	Fix guide →
jsonwebtoken	npm	CVE-2022-23540	CRITICAL	Algorithm confusion JWT forging	Fix guide →
minimist	npm	CVE-2021-44906	CRITICAL	Prototype pollution in args	Fix guide →
vm2	npm	CVE-2023-29017	CRITICAL	Sandbox escape RCE	Fix guide →
sharp	npm	CVE-2023-4863	CRITICAL	Heap buffer overflow (libwebp)	Fix guide →
follow-redirects	npm	CVE-2023-26159	MEDIUM	URL redirect to untrusted site	Fix guide →
PyYAML	PyPI	CVE-2020-14343	CRITICAL	Arbitrary code via yaml.load()	Fix guide →
rack	Ruby	CVE-2023-27530	HIGH	DoS via multipart parsing	Fix guide →
omniauth	Ruby	CVE-2015-9284	HIGH	CSRF via OAuth GET callback	Fix guide →
dompdf	PHP	CVE-2021-3838	CRITICAL	RCE via CSS import URL	Fix guide →
flysystem	PHP	CVE-2021-32708	CRITICAL	Path traversal arbitrary file read	Fix guide →
grpc	Go	CVE-2023-44487	HIGH	HTTP/2 rapid reset DoS	Fix guide →
net	Go	CVE-2023-44487	HIGH	HTTP/2 rapid reset DoS	Fix guide →
openssl	Rust	CVE-2023-0286	CRITICAL	X.400 memory corruption	Fix guide →
hyper	Rust	CVE-2023-44487	HIGH	HTTP/2 rapid reset DoS	Fix guide →
log4j	Java	CVE-2021-44228	CRITICAL	Log4Shell — JNDI RCE	Fix guide →
spring-core	Java	CVE-2022-22965	CRITICAL	Spring4Shell — RCE data binding	Fix guide →
commons-text	Java	CVE-2022-42889	CRITICAL	Text4Shell — RCE interpolation	Fix guide →
snakeyaml	Java	CVE-2022-1471	CRITICAL	RCE via YAML deserialization	Fix guide →
commons-collections	Java	CVE-2015-6420	CRITICAL	RCE via Java deserialization	Fix guide →
jjwt	Java	CVE-2022-21449	CRITICAL	ECDSA Psychic Signatures bypass	Fix guide →
netty	Java	CVE-2023-44487	HIGH	HTTP/2 rapid reset DoS	Fix guide →

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Why CISA KEV Matters for Developers

The CVE database contains tens of thousands of vulnerabilities. Most will never be exploited. CISA KEV is different — it's a curated list of vulnerabilities that threat actors are actively using in real attacks against real systems. A package on this list is not a theoretical risk.

PackageFix checks the live CISA KEV catalog on every scan. The catalog updates daily — CVEs added yesterday are reflected immediately. This is the hardest moat in dependency scanning: the data is always newer than any AI training dataset.

The Highest-Risk Entries

🔴 Log4Shell (CVE-2021-44228) — Apache Log4j — CRITICAL

Remote code execution via JNDI lookup in log messages. Affected virtually every Java application logging with Log4j 2.x. Still being exploited 3+ years after disclosure. Fix guide →

🔴 Spring4Shell (CVE-2022-22965) — Spring Framework — CRITICAL

Remote code execution via data binding with Spring MVC on Java 9+. Affected the majority of Spring Boot applications. Fix guide →

🔴 Text4Shell (CVE-2022-42889) — Apache Commons Text — CRITICAL

Remote code execution via string interpolation. Similar attack surface to Log4Shell. Any application using StringSubstitutor is affected. Fix guide →

🔴 HTTP/2 Rapid Reset (CVE-2023-44487) — Multiple packages — HIGH

Denial of service via HTTP/2 rapid reset attack. Affects grpc-go, golang.org/x/net, Netty, hyper (Rust), and any framework built on these. Fix guide →

Frequently Asked Questions

What is the CISA KEV catalog?

The CISA Known Exploited Vulnerabilities catalog lists vulnerabilities that are confirmed to be actively exploited in the wild. CISA mandates that US federal agencies remediate KEV entries within defined timeframes. All developers should treat KEV entries as immediate fix priorities.

How often does the CISA KEV catalog update?

The CISA KEV catalog updates daily. PackageFix checks the live catalog every scan — the data is always current. AI training data is always stale on KEV entries published after the training cutoff.

How do I check if my dependencies are on the CISA KEV list?

Paste your manifest file into PackageFix. Packages on the CISA KEV list are flagged with a red KEV badge in the CVE table and listed in the ACTIVELY EXPLOITED banner at the top of results.

What does it mean if my package is on the KEV list?

It means the vulnerability is being actively exploited in real attacks right now — not just theoretically possible. KEV packages should be patched immediately, before your next release cycle.

Which package managers have the most CISA KEV entries?

Java/Maven has the most KEV entries (Log4Shell, Spring4Shell, Text4Shell, Snakeyaml). npm has the second most (lodash, qs, vm2, jsonwebtoken). Both ecosystems should be audited regularly.