{"id":79836,"date":"2022-10-13T07:28:41","date_gmt":"2022-10-13T11:28:41","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=79836"},"modified":"2026-04-21T17:49:44","modified_gmt":"2026-04-21T15:49:44","slug":"some-vulnerabilities-dont-have-a-name","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/","title":{"rendered":"Some Vulnerabilities Don\u2019t Have a Name"},"content":{"rendered":"<p>\n\n\n<\/p>\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Untracked Vulnerabilities<\/h2>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>There is a common assumption that all open-source vulnerabilities hold a <a href=\"https:\/\/www.cve.org\/ResourcesSupport\/FAQs\" target=\"_blank\" rel=\"noreferrer noopener\">CVE<\/a>. Still, others believe that the National Vulnerability Database (<a href=\"https:\/\/nvd.nist.gov\/\" target=\"_blank\" rel=\"noreferrer noopener\">NVD<\/a>) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn\u2019t tracked by a CVE, or is not in the NVD?<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>NVD is the top reference, that\u2019s irrefutable. It\u2019s why those of us on the Checkmarx SCA research team use NVD as our main source of vulnerability information. However, we\u2019ve also <a href=\"https:\/\/checkmarx.com\/blog\/sca-behind-the-curtains\/\" target=\"_blank\" rel=\"noreferrer noopener\">explained previously<\/a> how NVD\u2019s data is often not enough. Moreover, NVD relies on various AppSec authorities and maintainers to maintain a comprehensive database of vulnerabilities.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>In that sense, we must pursue other sources to increase the magnitude of the vulnerability coverage within our SCA solution. To every vulnerability that isn\u2019t present in the NVD, and hence, doesn\u2019t have a CVE, we call them an \u201cUntracked Vulnerability.\u201d<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Our Challenges<\/h2>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>Tracked or not, an exploitable vulnerability in your code can become a gateway to your application being compromised. And like the dark side of the moon that we can\u2019t see, we simply know it\u2019s there. These two assumptions are where the real risk resides.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>However, researching untracked vulnerabilities is a process that come with some challenges that we need to tackle. The most prominent are:<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<ul class=\"wp-block-list\">\n<li>Untracked vulnerabilities usually have less information available than ones that are tracked. Which means it requires more difficult research to cover the vulnerability.<\/li>\n<li>The fact that they aren\u2019t validated by a trusted authority requires more work on our part to measure and validate the risk as well. Sometimes, we even need POCs (Proof of Concept) to prove that a vulnerability exists.<\/li>\n<\/ul>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>Both challenges are always present, yet a third challenge arises from time to time. It is common for Untracked Vulnerabilities to be unfixed and they may affect the latest versions of popular packages. So sometimes we must exhume vulnerabilities we\u2019ve covered before and confirm if the research and information about them is still accurate.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>Recently, we had to validate two of these vulnerabilities in the NPM package \u201cdebug<a>.\u201d<\/a> The \u201cdebug\u201d package is one of the most popular packages on NPM with hundreds of millions of weekly downloads\u2014one more reason to perform our research as thoroughly as possible.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Memory Leak in \u201cdebug\u201d<\/h2>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p><strong>Confirming the vulnerability<\/strong><\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>One of the vulnerabilities was a Memory Leak, and the starting point was <a href=\"https:\/\/github.com\/debug-js\/debug\/issues\/678\" target=\"_blank\" rel=\"noreferrer noopener\">this issue<\/a>. It wasn\u2019t mentioned anywhere else, and there was no CVE nor any info about this on NVD. So, we knew we would have to research this issue as an Untracked Vulnerability.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p><strong>Where could the issue lead us?<\/strong><\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>When the information about an issue is limited, we must analyze everything from the beginning, and every crumb of information can add up to something. There are references to other issues, commits, etc., in addition to comments that might hold essential information. We must also look for leads on the old analysis that could indicate a misunderstanding or anything that went unnoticed.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>A vigilant journey through the comments showed us how the vulnerability went from being exposed to fixed, and along the way, we gathered enough information to trust the validity of the vulnerability and its fix. There was proof in the comments (including answers from the maintainer) and a fix commit. Still, we analyzed the code thoroughly and ran our tools to confirm this.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>But at this point, it wouldn\u2019t suffice to completely trust the issue was fixed. We would have to reproduce the vulnerability and finally extinguish any doubt.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p><strong>Proof of Concept (POC)<\/strong><\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>We know that a memory leak implies that memory that is no longer needed isn\u2019t being freed correctly. In the cybersecurity jargon, it means that the memory will keep on accumulating until something crashes, thus, if intentional, leading to a Denial of Service (DoS).<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>That was precisely the situation here, and all it required was to instantiate \u201cdebug\u201d in a loop.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>That\u2019s what we did using a public POC. One look at the CPU usage and the picture was clear. We could see the memory growing, bit by bit, and it was even clearer after running more instances of the POC. But we needed to make it better to showcase, so we made our own POC. Everything went the same, except that we made it easier to visualize the vulnerability and its results.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/image1-1024x666-1.png\" alt=\"\"><\/figure>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>The only thing that was left was to confirm our previous conclusions regarding the versions. So, we ran the POC for the latest vulnerable version and some of the older ones, only to confirm what we already knew. At last, running it for the first fixed versions and the latest one showed that the vulnerability was indeed fixed.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/image2-1024x516-1.png\" alt=\"\"><\/figure>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">ReDoS in \u201cdebug\u201d<\/h2>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p><strong>Confirming the vulnerability<\/strong><\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>The other vulnerability was a Regular Expression Denial of Service, aka, ReDoS. We found it through <a href=\"https:\/\/github.com\/debug-js\/debug\/issues\/737\" target=\"_blank\" rel=\"noreferrer noopener\">this issue<\/a>.<br><br>We saw that the issue was open and there was no fix yet. And from the comments we confirmed it was indeed a vulnerability. Hum&#8230; an unfixed vulnerability? The person reporting the issue had neatly described the problem and affected code, and the maintainer agreed that it should be handled. However, it was planned to be fixed in a later version.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>Nonetheless, we had to reproduce it and create proof that the vulnerability exists.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p><strong>Proof of Concept (POC)<\/strong><\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>To begin with, the POC was also easy because we already had info about the affected components. We needed to call the `enable()` function and give it the regex. However, there was a challenge.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>To summarize, a ReDoS happens when an application accepts regular expressions as input, but it does not validate catastrophic exponential-time regular expressions. Thus, we had to craft a specific malicious regex that would break it and cause the Denial of Service in the application. So that is what we did.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>We used the regex `(a+)+`, which searches for the letter \u201ca\u201d and its repetition, and checks if the entire expression is repeating. If we then supplied something like `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaX` as input, we could see the application hanging and running for an undetermined amount of time. This is because each &#8220;a&#8221; causes the regex function to check for the repetition of an additional expression, thus doubling the amount of processing time, and then, by having something other than an &#8220;a&#8221; in the end, it causes catastrophic backtracking. Mission accomplished!<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/image3-1024x496-1.png\" alt=\"\"><\/figure>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>Finally, we ran the POC for some earlier versions and for the latest released version, to confirm that the vulnerability was indeed not fixed \u2013 all the versions were vulnerable and could easily be exploited.<\/p>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\">Last words<\/h2>\n<p>\n\n\n<\/p>\n<p>\n\n\n<\/p>\n<p>As we\u2019ve shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities since they are a surplus to our customers, and are as critical to security, if not sometimes more critical, than the tracked vulnerabilities.<\/p>\n<p>\n\n\n<\/p>\n<p><\/p>\n<p>The SCA research team continues to cover both tracked and untracked vulnerabilities with the same due care. You can learn more about Checkmarx SCA <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Untracked Vulnerabilities There is a common assumption that all open-source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn\u2019t tracked by a CVE, or is not in the NVD? NVD [&hellip;]<\/p>\n","protected":false},"author":55,"featured_media":79843,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84],"tags":[142,87,189,397,190,188,178],"class_list":["post-79836","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-application-security-testing","tag-appsec","tag-article","tag-developer","tag-english","tag-open-source-security","tag-sca"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Some Vulnerabilities Don\u0092t Have a Name - Checkmarx.com<\/title>\n<meta name=\"description\" content=\"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Some Vulnerabilities Don\u2019t Have a Name\" \/>\n<meta property=\"og:description\" content=\"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-13T11:28:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-21T15:49:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Mario Teixeira\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Some Vulnerabilities Don\u2019t Have a Name\" \/>\n<meta name=\"twitter:description\" content=\"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mario Teixeira\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\"},\"author\":{\"name\":\"Mario Teixeira\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/441bef736809860a74f467d0eb061e90\"},\"headline\":\"Some Vulnerabilities Don\u2019t Have a Name\",\"datePublished\":\"2022-10-13T11:28:41+00:00\",\"dateModified\":\"2026-04-21T15:49:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\"},\"wordCount\":1191,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\",\"keywords\":[\"Application Security Testing\",\"AppSec\",\"Article\",\"Developer\",\"English\",\"Open-Source Security\",\"SCA\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\",\"name\":\"Some Vulnerabilities Don\u0092t Have a Name - Checkmarx.com\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\",\"datePublished\":\"2022-10-13T11:28:41+00:00\",\"dateModified\":\"2026-04-21T15:49:44+00:00\",\"description\":\"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg\",\"width\":1600,\"height\":800},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/441bef736809860a74f467d0eb061e90\",\"name\":\"Mario Teixeira\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_55.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_55.jpg\",\"caption\":\"Mario Teixeira\"},\"url\":\"https:\/\/checkmarx.com\/author\/marioteixeira\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Some Vulnerabilities Don\u0092t Have a Name - Checkmarx.com","description":"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/","og_locale":"en_US","og_type":"article","og_title":"Some Vulnerabilities Don\u2019t Have a Name","og_description":"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.","og_url":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2022-10-13T11:28:41+00:00","article_modified_time":"2026-04-21T15:49:44+00:00","og_image":[{"width":1600,"height":800,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","type":"image\/jpeg"}],"author":"Mario Teixeira","twitter_card":"summary_large_image","twitter_title":"Some Vulnerabilities Don\u2019t Have a Name","twitter_description":"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.","twitter_image":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Mario Teixeira","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/"},"author":{"name":"Mario Teixeira","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/441bef736809860a74f467d0eb061e90"},"headline":"Some Vulnerabilities Don\u2019t Have a Name","datePublished":"2022-10-13T11:28:41+00:00","dateModified":"2026-04-21T15:49:44+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/"},"wordCount":1191,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","keywords":["Application Security Testing","AppSec","Article","Developer","English","Open-Source Security","SCA"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/","url":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/","name":"Some Vulnerabilities Don\u0092t Have a Name - Checkmarx.com","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","datePublished":"2022-10-13T11:28:41+00:00","dateModified":"2026-04-21T15:49:44+00:00","description":"As shown in this blog, Untracked Vulnerabilities are vulnerabilities nevertheless, and they must never be underestimated. We will keep working towards increasing our coverage of these Untracked Vulnerabilities.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/some-vulnerabilities-dont-have-a-name\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2022\/10\/Shutterstock_496099843.jpg","width":1600,"height":800},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/441bef736809860a74f467d0eb061e90","name":"Mario Teixeira","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_55.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_55.jpg","caption":"Mario Teixeira"},"url":"https:\/\/checkmarx.com\/author\/marioteixeira\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/79836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=79836"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/79836\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/79843"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=79836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=79836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=79836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}