https://www.secdev.uk/blog/tags/cwe-1104/ Recent content in CWE-1104 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 12 Apr 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-04-12-vulnerable-components/ Sat, 12 Apr 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-04-12-vulnerable-components/ <p>Your application is only as secure as its least-maintained dependency, and this is one of those lessons that really sinks in once you start digging into dependency trees. OWASP A06 (Vulnerable and Outdated Components) covers the reality that most modern applications are more dependency code than application code, and a single outdated library can undermine every security measure you&rsquo;ve built. CWE-1104 captures this: the use of unmaintained third-party components with known vulnerabilities. In this post I&rsquo;ll walk through real dependency chains in Python, Java, and JavaScript, from the Log4Shell-level disasters that make headlines to the subtle version pins that quietly accumulate CVEs while nobody&rsquo;s watching.</p>