Description
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
Many products are large enough or complex enough that part of their functionality uses libraries, modules, or other intellectual property developed by third parties who are not the product creator. For example, even an entire operating system might be from a third-party supplier in some hardware products. Whether open or closed source, these components may contain publicly known vulnerabilities or hidden functionality such as malware that could be exploited by adversaries to compromise the product.
Potential Impact
Confidentiality, Integrity, Availability
Varies by Context
Mitigations & Prevention
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
Detection Methods
- Automated Analysis High — For software, use Software Composition Analysis (SCA) tools, which automatically analyze products to identify third-party dependencies. Often, SCA tools can be used to link with known vulnerabilities in the dependencies that they detect. There are commercial and open-source alternatives, such as OWA
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2025-45612 | product uses a vulnerable version of an authentication framework, allowing authentication bypass |
Related Weaknesses
Taxonomy Mappings
- ISA/IEC 62443: Part 4-2 — Req CR 2.4
- ISA/IEC 62443: Part 4-2 — Req CR 6.2
- ISA/IEC 62443: Part 4-2 — Req CR 7.2
- ISA/IEC 62443: Part 4-1 — Req SM-9
- ISA/IEC 62443: Part 4-1 — Req SM-10
- ISA/IEC 62443: Part 4-1 — Req SR-2
- ISA/IEC 62443: Part 4-1 — Req DM-1
- ISA/IEC 62443: Part 4-1 — Req DM-3
- ISA/IEC 62443: Part 4-1 — Req DM-4
- ISA/IEC 62443: Part 4-1 — Req SVV-1
- ISA/IEC 62443: Part 4-1 — Req SVV-3
Frequently Asked Questions
What is CWE-1395?
CWE-1395 (Dependency on Vulnerable Third-Party Component) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product has a dependency on a third-party component that contains one or more known vulnerabilities.
How can CWE-1395 be exploited?
Attackers can exploit CWE-1395 (Dependency on Vulnerable Third-Party Component) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation, Patching and Maintenance phase of software development.
How do I prevent CWE-1395?
Key mitigations include: In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilit
What is the severity of CWE-1395?
CWE-1395 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.