How to read and understand a security vulnerability report (CVE)

Reading CVE Reports

CVEs (Common Vulnerabilities and Exposures) are the standard format for reporting software vulnerabilities. Reading them accurately helps you prioritize patching without panic and without complacency.

Anatomy of a CVE

CVE ID: A unique identifier like CVE-2021-44228 (Log4Shell). The year is when it was assigned, not when the bug was introduced.

CVSS Score: A 0–10 severity score. Below 4 is low, 4–6.9 is medium, 7–8.9 is high, 9–10 is critical. CVSS measures potential impact, not actual exploitability in your specific environment. A 9.8 in software you don't run is irrelevant.

Affected versions: The specific version ranges that contain the flaw. Check your package.json or package-lock.json for exact versions.

Description: Explains the vulnerable code path. Read this—it tells you whether an attacker needs authentication or network access.

Finding Vulnerabilities in Your Dependencies

# Check for known vulnerabilities in npm packages
npm audit

# Auto-fix compatible updates
npm audit fix

# See full report with CVE IDs
npm audit --json | jq '.vulnerabilities'

# For Yarn
yarn audit

Triage Criteria

Ask three questions for each finding: Is this package in production? Is the vulnerable code path reachable by an unauthenticated user? Does a fixed version exist? If all three are yes, patch immediately. Otherwise, document your risk acceptance and schedule it.