Supply Chain Blind Spot: End‑of‑Life Open‑Source Packages Evade CVE Feeds and SCA Tools
What Happened — Open‑source maintainers stop publishing CVE ranges for end‑of‑life (EOL) versions, leaving a gap where vulnerability scanners and SBOM tools receive no alerts. Sonatype’s 2026 State of the Software Supply Chain report shows 167,286 exploitable components went unflagged in 2025 due to this “EOL blind spot.”
Why It Matters for TPRM —
- False‑negative alerts give a misleading sense of security, increasing exposure to known exploits.
- Third‑party software inventories that rely on standard CVE feeds may miss critical vulnerabilities in legacy dependencies.
- Unchecked EOL components can become footholds for supply‑chain attacks, jeopardizing downstream services and data.
Who Is Affected — Enterprises using open‑source libraries across all sectors; SaaS vendors, cloud‑native platforms, and MSPs that depend on automated SCA tools.
Recommended Actions —
- Augment existing SCA pipelines with EOL‑aware scanning (e.g., HeroDevs’ EOL DS or similar).
- Incorporate regular SBOM reviews that flag any dependency marked EOL in major registries.
- Require vendors to provide explicit EOL status and remediation paths for all shipped components.
Technical Notes — The issue stems from the CVE ecosystem’s reliance on maintainers to define affected version ranges. When a project reaches EOL, maintainers typically cease issuing advisories, causing scanners to treat those versions as “out of scope.” No specific CVE or vulnerability is exploited here; the risk is the absence of detection. Source: BleepingComputer