Sonatype Intelligence Reveals CVE Program Leaves Majority of Vulnerabilities Unscored
November 20, 2025 - Sonatype®, the leader in AI-driven DevSecOps, today released a new report, “Trust Issues: The CVE Crisis,” revealing that the world’s most widely used vulnerability index — the Common Vulnerabilities and Exposures (CVE) system — struggles to keep pace with the realities of modern software development. The study analyzed 1,552 open source vulnerabilities disclosed in 2025 and found that nearly two-thirds (64%) lacked severity scores from the National Vulnerability Database (NVD).
The study from Sonatype Security Research exposes widespread inaccuracies and delays in the global CVE system that organizations, security professionals, and generative and agentic AI tools rely on to prioritize and remediate risk. Key takeaways from the study include:
-
Coverage is collapsing: Only 36% of open source CVEs had a CVSS score assigned by the NVD, meaning teams are only able to effectively triage in one third of cases. Upon review by Sonatype, nearly half of all unscored vulnerabilities were scored in the Critical or High range.
-
Accuracy is unreliable: Of the CVEs that were scored, fewer than 1 in 5 severity ratings were correct; 62% of NVD scores overstated severity while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records — wasting developer time and obscuring real threats.
-
Timeliness is deteriorating: 2025 saw a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks. This signals that the CVE/NVD pipeline can’t keep pace with today’s exploit timelines, turning “official” data into an operational bottleneck.
“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and Co-founder of Sonatype. “Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment. CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”
The security community urgently needs to move beyond indexing to real-time intelligence. Sonatype is already leading that shift with Nexus One, its newly launched AI-native DevSecOps platform that brings together open source intelligence, governance, malware defense, and dependency automation into a single, agentic infrastructure. Built on more than 15 years of curated OSS intelligence and advanced machine learning, Nexus One delivers 10 times faster insights than the NVD and enables organizations to remediate risk 30% faster on average.
“The findings from our CVE study underscore exactly why Nexus One exists,” said Bhagwat Swaroop, CEO of Sonatype. “Traditional systems can’t keep up with the scale and sophistication of open source risk associated with gen AI and agentic AI development. Nexus One gives enterprises the intelligence, automation, and visibility they need to innovate securely — turning what used to be a bottleneck into a competitive advantage.”
To download Trust Issues: The CVE Crisis, visit www.sonatype.com/resources/research/the-cve-crisis.
Sonatype Nexus One and Sonatype solutions are available in Romania through Simple IT, Sonatype Partner in Romania.
About Simple IT
SIMPLE IT is a distributor for software solutions and hardware appliances, adding value with consulting, training, implementation, configuration and support services, backed by certified specialists, in order to offer the best IT experience to customers and partners. For more information, please visit www.simpleit.com.ro.