Find and fixSupport informationCVEs for reachability

CVEs for reachability

Last updated: Mar 24, 2026

Fluid Attacks informs of the reachability status at the following levels:

  • Latent: (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency.
  • Potential: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code.
  • Reachable: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c) the vulnerable function in the dependency is called from the code.

Below are two technical examples and an analogy for better comprehension:

Example in JS (Node.js):

package.json

{
  "name": "demo-app",
  "version": "1.0.0",
  "dependencies": {
    "vulnLib": "1.2.3"
  }
}

app.js

// LATENT: Library declared in package.json but not imported nor used

console.log("Hello world");

// POTENTIAL: Library imported but vulnerable function not used

import vulnLib from 'vulnLib',
console.log("Library loaded but dangerous function not used")

// REACHABLE: Library imported and vulnerable function is used

import vulnLib from 'vulnLib',
vulnLib.dangerousFunction(); // <- Risk activated

Example in Python

requirements.txt
vuln-lib==1.2.3

app.py

# LATENT: Library declared in requirements.txt but not imported nor used
print("Hello world")

# POTENTIAL: Library imported but vulnerable function not used
import vuln_lib
print("Library loaded but dangerous function not used")

# REACHABLE: Library imported and vulnerable function is used
import vuln_lib
vuln_lib.dangerousFunction() # <- Risk activated*`

Analogy

  • Latent

    1. (a) The book is in the library (declared), but
    2. (b) you do not read any chapter (not imported).

  • Potential

    1. (a) The book is in the library (declared),
    2. (b) you start reading any chapter (imported), but
    3. (c) you do not read the faulty chapter.

  • Reachable

    1. (a) The book is in the library (declared),
    2. (b) you start reading any chapter (imported), and

    3. (c) you read the faulty chapter and use it as a reference for your MBA thesis.

Supported

Latent and Potential

At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported languages and package managers. See the list of sources in Vulnerability signature update.

Reachable

Currently, Fluid Attacks has methods to detect when software effectively calls known vulnerable functions reported in the CVE entries/advisories shown in the following table, where they are classified by the programming language in which the functions are written:

LanguageCVE IDsNumber of methods
C#CVE-2024-45302
CVE-2024-21907
CVE-2021-43045		3
DartCVE-2023-391391
GoCVE-2025-271441
JavaCVE-2023-33202
CVE-2023-26919
CVE-2022-45690
CVE-2022-45689
CVE-2021-43570
CVE-2021-37573		6
JavaScriptCVE-2025-57810
CVE-2025-56200
CVE-2024-45590
CVE-2024-43796
CVE-2024-39338
CVE-2024-29415
CVE-2024-21538
CVE-2024-10491
CVE-2023-46233
CVE-2023-42282
CVE-2023-37466
CVE-2023-37903
CVE-2023-3696
CVE-2023-32314
CVE-2023-28155
CVE-2023-25813
CVE-2023-22579
CVE-2023-22578
CVE-2022-31129
CVE-2022-25887
CVE-2022-25881
CVE-2022-24785
CVE-2022-23540
CVE-2021-3918
CVE-2021-3749
CVE-2021-26540
CVE-2021-26539
CVE-2021-23771
CVE-2021-23566
CVE-2021-23382
CVE-2021-23337
CVE-2020-8203
CVE-2020-7766
CVE-2020-7712
CVE-2020-28500
CVE-2020-15084
CVE-2019-10775
CVE-2019-10744
CVE-2019-10742
CVE-2019-1010266
CVE-2018-16487
CVE-2018-3721
CVE-2018-1109
CVE-2017-18214
CVE-2017-16137
CVE-2017-16016
CVE-2016-10707
CVE-2016-1000237
GHSA-mm7p-fcc7-pg87
GHSA-9h6g-pr28-7cqp
GHSA-9v62-24cr-58cx
GHSA-4xcv-9jjx-gfj3		52
KotlinCVE-2021-435701
PHPCVE-2021-39021
PythonCVE-2025-57833
CVE-2025-50181
CVE-2024-39303
CVE-2023-49083
CVE-2023-46136
CVE-2023-44271
CVE-2023-36053
CVE-2023-32681
CVE-2022-24859
CVE-2022-22817
CVE-2021-33503
CVE-2020-28975
CVE-2020-13091		13
RubyCVE-2024-41123
CVE-2024-35176
CVE-2023-22796
CVE-2021-41817
CVE-2021-32740		5
ScalaCVE-2021-410841
SwiftCVE-2023-443861
TypeScriptCVE-2025-57810
CVE-2025-56200
CVE-2024-45590
CVE-2024-43796
CVE-2024-39338
CVE-2024-29415
CVE-2024-21538
CVE-2024-10491
CVE-2023-46233
CVE-2023-42282
CVE-2023-37903
CVE-2023-37466
CVE-2023-3696
CVE-2023-32314
CVE-2023-28155
CVE-2023-25813
CVE-2023-22579
CVE-2023-22578
CVE-2022-31129
CVE-2022-25887
CVE-2022-25881
CVE-2022-24785
CVE-2022-23540
CVE-2021-3918
CVE-2021-3749
CVE-2021-26540
CVE-2021-26539
CVE-2021-23771
CVE-2021-23566
CVE-2021-23382
CVE-2021-23337
CVE-2020-8203
CVE-2020-7766
CVE-2020-7712
CVE-2020-28500
CVE-2020-15084
CVE-2019-10775
CVE-2019-10744
CVE-2019-10742
CVE-2019-1010266
CVE-2018-16487
CVE-2018-1109
CVE-2018-3721
CVE-2017-18214
CVE-2017-16137
CVE-2017-16016
CVE-2016-10707
CVE-2016-1000237
GHSA-mm7p-fcc7-pg87
GHSA-9h6g-pr28-7cqp
GHSA-9v62-24cr-58cx
GHSA-4xcv-9jjx-gfj3		52
Total methods137

Unsupported

Latent and Potential

At the Latent and Potential levels, Fluid Attacks' testing does not support CVEs/advisories outside its supported databases and supported languages and packages.

Reachable

At the Reachable level, Fluid Attacks' analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in the above table.

Containers

Explore the containers supported by the Fluid Attacks scanner to detect vulnerabilities and secure your containerized applications.

Evidence formats

Discover the evidence formats provided by Fluid Attacks to deliver comprehensive and actionable security testing findings and proof of exploitation to clients.

On this page

SupportedLatent and PotentialReachableUnsupportedLatent and PotentialReachable