PackageFix / Glossary / Zero-Day Vulnerability

Zero-Day Vulnerability

Security · Exploitation
Definition

A zero-day is a security vulnerability that attackers are actively exploiting before the software vendor knows about it or has released a fix. The name comes from the fact that developers have had zero days to address it. Zero-days are the most dangerous class of vulnerability because there is no patch to apply — the only defenses are workarounds, network controls, or disabling affected functionality.

Zero-day vs known vulnerability

Most CVEs are not zero-days. The typical vulnerability lifecycle goes: researcher discovers the issue → privately notifies the vendor → vendor releases a patch → CVE is assigned and published. At the point of public disclosure, a patch already exists. A zero-day skips the patch step — it's being exploited before anyone has a fix ready.

Zero-days in open source dependencies

In the open source world, zero-days are particularly challenging because the source code is public — attackers can find vulnerabilities by reading the code. The Log4Shell vulnerability (CVE-2021-44228) was being actively exploited in the wild before the Apache team had a complete fix. For the first 72 hours after disclosure, there was no safe version to upgrade to.

What to do when a zero-day affects your dependencies

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How is a zero-day different from a CVE?
A CVE is just an ID number — it can be assigned to any vulnerability, including zero-days. A zero-day is a status: being exploited before a fix exists. Once a patch is released, it's no longer technically a zero-day, though it remains on the CISA KEV list if exploitation was confirmed.
Does PackageFix detect zero-days?
PackageFix checks against the OSV database which updates daily as new CVEs are published. For true zero-days (exploited before any CVE exists), PackageFix won't have data until the CVE is filed. The CISA KEV catalog is the best signal — it confirms active exploitation regardless of patch status.
Can I protect against zero-days in dependencies?
Partially. Keeping dependencies updated means you patch quickly once a fix is released. Network controls (WAF rules, input validation) can block some zero-day exploits before a patch. The CISA KEV catalog helps prioritize — a zero-day on KEV needs immediate response.
What was the most significant open source zero-day?
Log4Shell (CVE-2021-44228) in Apache Log4j is widely considered the most severe. It affected virtually every Java application, had a CVSS of 10.0, and was being actively exploited before a complete fix was available. Over 3 billion devices were estimated to be affected.

Related

CISA KEV

Confirmed exploited CVEs

Log4Shell

Most severe zero-day example

CVE

How vulnerabilities are identified

CISA KEV Packages

Actively exploited right now