RedHunt Labs partnered with Snyk to conduct a comprehensive study on the security of the top 1000 GitHub organizations. Our focus was on Java, JavaScript, Python, and Ruby repositories, specifically targeting insecure dependencies. We filtered repositories based on star count and keywords to concentrate on impactful ones, resulting in 11,900 repositories being examined. In total, we found 1,229,601 vulnerabilities across 15,584 vulnerable dependency files.

Among Java repositories, Deserialization of Untrusted Data was the most prevalent vulnerability, with 334,805 vulnerabilities in 48,323 dependent files. JavaScript repositories had Prototype Pollution as the most common vulnerability, with 549,566 vulnerabilities found in 6,101 dependent files. Denial of Service (DoS) vulnerabilities were prominent in Python repositories, totaling 72,082 vulnerabilities in 2,602 dependency files. Ruby repositories had 273,148 vulnerabilities across 697 dependency files, primarily associated with Denial of Service (DoS) vulnerabilities.

We also highlighted the top ten researchers who reported the highest number of vulnerabilities and provided an in-depth analysis of the Zip Slip vulnerability, showcasing its potential consequences.

To address these vulnerabilities, we recommend using tools like Snyk for vulnerability scanning, updating dependencies regularly, removing unnecessary ones, and conducting thorough dependency checks before installation.

Our study concludes by emphasizing the ongoing risk weak dependencies pose in software supply chains. It is crucial for developers to prioritize the security of their code repositories by staying updated on patches and adopting a vigilant approach to dependency management. RedHunt Labs remains committed to raising awareness and promoting best practices for a more secure software development ecosystem.