--- description: "CVEs for which the Fluid Attacks reachability analysis is supported. It determines if dependency vulnerabilities are exploitable in your applications." keywords: "Fluid Attacks reachability analysis, Fluid Attacks reachable vulnerabilities analysis, vulnerability exploitation, supply chain security, Fluid Attacks SAST, Fluid Attacks documentation" other: private: false title: Supported CVEs for reachability analysis --- # Supported CVEs for reachability analysis import { Table } from "nextra/components"; ## Supported > [!NOTE] > > Fluid Attacks informs of reachability status at the following levels: > > 1. **Latent:** (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency. > 2. **Potential:** (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code. > 3. **Reachable:** (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c) the vulnerable function in the dependency is called from the code. > > Below are two technical examples and an analogy for better comprehension: > > Example 1 in JS (Node.js) > > Example 2 in Python > > Analogy > > Example 1 in JS (Node.js) > > ![File](https://res.cloudinary.com/fluid-attacks/image/upload/v1755265743/docs/find-and-fix-vulnerabilities/use-the-platform/manage-vulnerabilities/open-file-fluid-attacks-kb.png) > > **package.json** > > ``` > { "name": "demo-app", "version": "1.0.0", "dependencies": { "vulnLib": "1.2.3" }} > ``` > > ![File](https://res.cloudinary.com/fluid-attacks/image/upload/v1755265743/docs/find-and-fix-vulnerabilities/use-the-platform/manage-vulnerabilities/open-file-fluid-attacks-kb.png) > > **app.js** > > `*// LATENT: Library declared in package.json but not imported nor used* console.log("Hello world"); *// POTENTIAL: Library imported but vulnerable function not used* import vulnLib from 'vulnLib', console.log("Library loaded but dangerous function not used") *// REACHABLE: Library imported and vulnerable function is used* import vulnLib from 'vulnLib', vulnLib.dangerousFunction(); *// <- Risk activated*` > > ``` > // REACHABLE: Library imported and vulnerable function is used > ``` > > Example 2 in Python > > ![File](https://res.cloudinary.com/fluid-attacks/image/upload/v1755265743/docs/find-and-fix-vulnerabilities/use-the-platform/manage-vulnerabilities/open-file-fluid-attacks-kb.png) > > **requirements.txt** > > `vuln-lib==1.2.3` > > ![File](https://res.cloudinary.com/fluid-attacks/image/upload/v1755265743/docs/find-and-fix-vulnerabilities/use-the-platform/manage-vulnerabilities/open-file-fluid-attacks-kb.png) > > **app.py** > > `*# LATENT: Library declared in requirements.txt but not imported nor used* print("Hello world") *# POTENTIAL: Library imported but vulnerable function not used* import vuln_lib print("Library loaded but dangerous function not used") *# REACHABLE: Library imported and vulnerable function is used* import vuln_lib vuln_lib.dangerousFunction() *# <- Risk activated*` > > ``` > // REACHABLE: Library imported and vulnerable function is used > ``` > > Analogy > > 1. **Latent** > 1. The book is **in the library** (declared), but > 1. you **do not read any chapter** (not imported). > 1. **Potential** > 1. The book is **in the library** (declared), > 1. you **start reading any chapter** (imported), but > 1. you **do not read the faulty chapter**. > 1. **Reachable** > 1. The book is **in the library** (declared), > 1. you **start reading any chapter** (imported), and > 1. you **read the faulty chapter and use it as a reference for your MBA thesis**. ### Latent and Potential At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported [languages](https://help.fluidattacks.com/portal/en/kb/articles/supported-languages) and [package managers](https://help.fluidattacks.com/portal/en/kb/articles/supported-package-managers#Supported). See the list of sources in [Vulnerability signature update](https://help.fluidattacks.com/portal/en/kb/articles/vulnerability-signature-update). ### Reachable Currently, Fluid Attacks has methods to detect when software effectively calls [known vulnerable functions](https://help.fluidattacks.com/portal/en/kb/articles/find-reachable-dependency-vulnerabilities) reported in the CVE entries/advisories shown in the following table, where they are classified by the programming language in which the functions are written: **Language** **CVE IDs** **Methods** C# [CVE-2024-45302](https://nvd.nist.gov/vuln/detail/CVE-2024-45302)[ ](https://nvd.nist.gov/vuln/detail/CVE-2024-21907)[CVE-2024-21907 ](https://nvd.nist.gov/vuln/detail/CVE-2024-21907)[CVE-2021-43045](https://nvd.nist.gov/vuln/detail/CVE-2021-43045) 3 Dart [CVE-2023-39139](https://nvd.nist.gov/vuln/detail/CVE-2023-39139) 1 Go [CVE-2025-27144](https://nvd.nist.gov/vuln/detail/CVE-2025-27144) 1 Java [CVE-2023-33202](https://nvd.nist.gov/vuln/detail/cve-2023-33202)[ ](https://nvd.nist.gov/vuln/detail/CVE-2023-26919)[CVE-2023-26919 ](https://nvd.nist.gov/vuln/detail/CVE-2023-26919) [CVE-2022-45690 ](https://nvd.nist.gov/vuln/detail/CVE-2022-45690) [CVE-2022-45689](https://nvd.nist.gov/vuln/detail/CVE-2022-45689)[ ](https://nvd.nist.gov/vuln/detail/CVE-2021-43570)[CVE-2021-43570 ](https://nvd.nist.gov/vuln/detail/CVE-2021-43570)[CVE-2021-37573](https://nvd.nist.gov/vuln/detail/CVE-2021-37573) 6 JavaScript [CVE-2025-57810 ](https://nvd.nist.gov/vuln/detail/CVE-2025-57810)[CVE-2025-56200](https://nvd.nist.gov/vuln/detail/CVE-2025-56200)[CVE-2024-45590 ](https://nvd.nist.gov/vuln/detail/cve-2024-45590)[CVE-2024-43796 ](https://nvd.nist.gov/vuln/detail/CVE-2024-43796)[CVE-2024-39338](https://nvd.nist.gov/vuln/detail/CVE-2024-39338)[CVE-2024-29415 ](https://nvd.nist.gov/vuln/detail/CVE-2024-29415)[CVE-2024-21538](https://nvd.nist.gov/vuln/detail/CVE-2024-21538)[CVE-2024-10491 ](https://nvd.nist.gov/vuln/detail/CVE-2024-10491)[CVE-2023-46233](https://nvd.nist.gov/vuln/detail/CVE-2023-46233)[CVE-2023-42282](https://nvd.nist.gov/vuln/detail/CVE-2023-42282)[CVE-2023-37466 ](https://nvd.nist.gov/vuln/detail/CVE-2023-37466)[CVE-2023-37903 ](https://nvd.nist.gov/vuln/detail/CVE-2023-37903)[CVE-2023-3696](https://nvd.nist.gov/vuln/detail/CVE-2023-3696)[CVE-2023-32314](https://nvd.nist.gov/vuln/detail/CVE-2023-32314)[CVE-2023-28155](https://nvd.nist.gov/vuln/detail/CVE-2023-28155) [CVE-2023-25813 ](https://nvd.nist.gov/vuln/detail/CVE-2023-25813)[CVE-2023-22579 ](https://nvd.nist.gov/vuln/detail/CVE-2023-22579)[CVE-2023-22578](https://nvd.nist.gov/vuln/detail/CVE-2023-22578)[CVE-2022-31129](https://nvd.nist.gov/vuln/detail/CVE-2022-31129)[CVE-2022-25887](https://nvd.nist.gov/vuln/detail/CVE-2022-25887) [CVE-2022-25881 ](https://nvd.nist.gov/vuln/detail/CVE-2022-25881)[CVE-2022-24785](https://nvd.nist.gov/vuln/detail/cve-2022-24785)[CVE-2022-23540 ](https://nvd.nist.gov/vuln/detail/CVE-2022-23540)[CVE-2021-3918 ](https://nvd.nist.gov/vuln/detail/CVE-2021-3918) [CVE-2021-3749](https://nvd.nist.gov/vuln/detail/CVE-2021-3749) [CVE-2021-26540 ](https://nvd.nist.gov/vuln/detail/CVE-2021-26540)[CVE-2021-26539 ](https://nvd.nist.gov/vuln/detail/CVE-2021-26539)[CVE-2021-23771](https://nvd.nist.gov/vuln/detail/CVE-2021-23771)[ ](https://nvd.nist.gov/vuln/detail/CVE-2021-23566)[CVE-2021-23566 ](https://nvd.nist.gov/vuln/detail/CVE-2021-23566)[CVE-2021-23382](https://nvd.nist.gov/vuln/detail/CVE-2021-23382)[CVE-2021-23337 ](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)[CVE-2020-8203 ](https://nvd.nist.gov/vuln/detail/CVE-2020-8203)[CVE-2020-7766](https://nvd.nist.gov/vuln/detail/CVE-2020-7766)[CVE-2020-7712](https://nvd.nist.gov/vuln/detail/CVE-2020-7712)[CVE-2020-28500](https://nvd.nist.gov/vuln/detail/CVE-2020-28500)[CVE-2020-15084 ](https://nvd.nist.gov/vuln/detail/CVE-2020-15084)[CVE-2019-10775 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10775)[CVE-2019-10744 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10744)[CVE-2019-10742](https://nvd.nist.gov/vuln/detail/CVE-2019-10742)[CVE-2019-1010266 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1010266)[CVE-2018-16487](https://nvd.nist.gov/vuln/detail/CVE-2018-16487)[CVE-2018-3721 ](https://nvd.nist.gov/vuln/detail/CVE-2018-3721)[CVE-2018-1109](https://nvd.nist.gov/vuln/detail/CVE-2018-1109) [CVE-2017-18214 ](https://nvd.nist.gov/vuln/detail/CVE-2017-18214)[CVE-2017-16137](https://nvd.nist.gov/vuln/detail/CVE-2017-16137)[CVE-2017-16016 ](https://nvd.nist.gov/vuln/detail/CVE-2017-16016)[CVE-2016-10707](https://nvd.nist.gov/vuln/detail/CVE-2016-10707)[CVE-2016-1000237 ](https://nvd.nist.gov/vuln/detail/CVE-2016-1000237)[GHSA-mm7p-fcc7-pg87](https://github.com/advisories/GHSA-mm7p-fcc7-pg87)[GHSA-9h6g-pr28-7cqp ](https://github.com/advisories/GHSA-9h6g-pr28-7cqp)[GHSA-9v62-24cr-58cx ](https://github.com/advisories/GHSA-9v62-24cr-58cx)[GHSA-4xcv-9jjx-gfj3](https://github.com/advisories/GHSA-4xcv-9jjx-gfj3) 52 Kotlin [CVE-2021-43570](https://nvd.nist.gov/vuln/detail/CVE-2021-43570) 1 PHP [CVE-2021-3902](https://nvd.nist.gov/vuln/detail/CVE-2021-3902) 1 Python [CVE-2025-57833 ](https://nvd.nist.gov/vuln/detail/CVE-2025-57833)[CVE-2025-50181](https://nvd.nist.gov/vuln/detail/CVE-2025-50181)[CVE-2024-39303 ](https://nvd.nist.gov/vuln/detail/CVE-2024-39303)[CVE-2023-49083 ](https://nvd.nist.gov/vuln/detail/CVE-2023-49083)[CVE-2023-46136](https://nvd.nist.gov/vuln/detail/CVE-2023-46136) [CVE-2023-44271 ](https://nvd.nist.gov/vuln/detail/CVE-2023-44271)[CVE-2023-36053](https://nvd.nist.gov/vuln/detail/CVE-2023-36053)[CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681)[CVE-2022-24859](https://nvd.nist.gov/vuln/detail/CVE-2022-24859)[CVE-2022-22817 ](https://nvd.nist.gov/vuln/detail/CVE-2022-22817)[CVE-2021-33503](https://nvd.nist.gov/vuln/detail/CVE-2021-33503)[CVE-2020-28975](https://nvd.nist.gov/vuln/detail/CVE-2020-28975)[CVE-2020-13091](https://nvd.nist.gov/vuln/detail/CVE-2020-13091) 13 Ruby [CVE-2024-41123](https://nvd.nist.gov/vuln/detail/CVE-2024-41123)[ ](https://nvd.nist.gov/vuln/detail/CVE-2024-35176)[CVE-2024-35176 ](https://nvd.nist.gov/vuln/detail/CVE-2024-35176)[CVE-2023-22796](https://nvd.nist.gov/vuln/detail/CVE-2023-22796)[CVE-2021-41817 ](https://nvd.nist.gov/vuln/detail/CVE-2021-41817)[CVE-2021-32740](https://nvd.nist.gov/vuln/detail/CVE-2021-32740) 5 Scala [CVE-2021-41084](https://nvd.nist.gov/vuln/detail/CVE-2021-41084) 1 Swift [CVE-2023-44386](https://nvd.nist.gov/vuln/detail/CVE-2023-44386) 1 TypeScript [CVE-2025-57810 ](https://nvd.nist.gov/vuln/detail/CVE-2025-57810)[CVE-2025-56200](https://nvd.nist.gov/vuln/detail/CVE-2025-56200)[CVE-2024-45590](https://nvd.nist.gov/vuln/detail/cve-2024-45590)[ ](https://nvd.nist.gov/vuln/detail/CVE-2024-43796)[CVE-2024-43796 ](https://nvd.nist.gov/vuln/detail/CVE-2024-43796)[CVE-2024-39338](https://nvd.nist.gov/vuln/detail/CVE-2024-39338)[CVE-2024-29415 ](https://nvd.nist.gov/vuln/detail/CVE-2024-29415)[CVE-2024-21538](https://nvd.nist.gov/vuln/detail/CVE-2024-21538)[CVE-2024-10491 ](https://nvd.nist.gov/vuln/detail/CVE-2024-10491)[CVE-2023-46233](https://nvd.nist.gov/vuln/detail/CVE-2023-46233)[CVE-2023-42282](https://nvd.nist.gov/vuln/detail/CVE-2023-42282)[CVE-2023-37903](https://nvd.nist.gov/vuln/detail/CVE-2023-37903)[CVE-2023-37466 ](https://nvd.nist.gov/vuln/detail/CVE-2023-37466)[CVE-2023-3696](https://nvd.nist.gov/vuln/detail/CVE-2023-3696)[CVE-2023-32314](https://nvd.nist.gov/vuln/detail/CVE-2023-32314)[CVE-2023-28155](https://nvd.nist.gov/vuln/detail/CVE-2023-28155) [CVE-2023-25813 ](https://nvd.nist.gov/vuln/detail/CVE-2023-25813)[CVE-2023-22579 ](https://nvd.nist.gov/vuln/detail/CVE-2023-22579)[CVE-2023-22578](https://nvd.nist.gov/vuln/detail/CVE-2023-22578)[CVE-2022-31129](https://nvd.nist.gov/vuln/detail/CVE-2022-31129)[CVE-2022-25887](https://nvd.nist.gov/vuln/detail/CVE-2022-25887) [CVE-2022-25881 ](https://nvd.nist.gov/vuln/detail/CVE-2022-25881)[CVE-2022-24785](https://nvd.nist.gov/vuln/detail/cve-2022-24785)[CVE-2022-23540 ](https://nvd.nist.gov/vuln/detail/CVE-2022-23540)[CVE-2021-3918 ](https://nvd.nist.gov/vuln/detail/CVE-2021-3918)[CVE-2021-3749](https://nvd.nist.gov/vuln/detail/CVE-2021-3749)[CVE-2021-26540](https://nvd.nist.gov/vuln/detail/CVE-2021-26540)[CVE-2021-26539](https://nvd.nist.gov/vuln/detail/CVE-2021-26539) [CVE-2021-23771 ](https://nvd.nist.gov/vuln/detail/CVE-2021-23771) [CVE-2021-23566 ](https://nvd.nist.gov/vuln/detail/CVE-2021-23566)[CVE-2021-23382](https://nvd.nist.gov/vuln/detail/CVE-2021-23382)[CVE-2021-23337 ](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)[CVE-2020-8203 ](https://nvd.nist.gov/vuln/detail/CVE-2020-8203)[CVE-2020-7766 ](https://nvd.nist.gov/vuln/detail/CVE-2020-7766)[CVE-2020-7712 ](https://nvd.nist.gov/vuln/detail/CVE-2020-7712) [CVE-2020-28500](https://nvd.nist.gov/vuln/detail/CVE-2020-28500)[CVE-2020-15084 ](https://nvd.nist.gov/vuln/detail/CVE-2020-15084) [CVE-2019-10775 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10775)[CVE-2019-10744 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10744)[CVE-2019-10742](https://nvd.nist.gov/vuln/detail/CVE-2019-10742)[CVE-2019-1010266 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1010266)[CVE-2018-16487 ](https://nvd.nist.gov/vuln/detail/CVE-2018-16487)[CVE-2018-1109](https://nvd.nist.gov/vuln/detail/CVE-2018-1109)[CVE-2018-3721 ](https://nvd.nist.gov/vuln/detail/CVE-2018-3721)[CVE-2017-18214 ](https://nvd.nist.gov/vuln/detail/CVE-2017-18214)[CVE-2017-16137](https://nvd.nist.gov/vuln/detail/CVE-2017-16137) [CVE-2017-16016 ](https://nvd.nist.gov/vuln/detail/CVE-2017-16016)[CVE-2016-10707](https://nvd.nist.gov/vuln/detail/CVE-2016-10707)[CVE-2016-1000237 ](https://nvd.nist.gov/vuln/detail/CVE-2016-1000237) [GHSA-mm7p-fcc7-pg87](https://github.com/advisories/GHSA-mm7p-fcc7-pg87)[ ](https://github.com/advisories/GHSA-9h6g-pr28-7cqp)[GHSA-9h6g-pr28-7cqp ](https://github.com/advisories/GHSA-9h6g-pr28-7cqp)[GHSA-9v62-24cr-58cx ](https://github.com/advisories/GHSA-9v62-24cr-58cx)[GHSA-4xcv-9jjx-gfj3](https://github.com/advisories/GHSA-4xcv-9jjx-gfj3) 52 **Total methods** **137**

## Unsupported ### Latent and Potential At the Latent and Potential levels, Fluid Attacks' testing does not support CVEs/advisories outside its [supported databases](https://help.fluidattacks.com/portal/en/kb/articles/vulnerability-signature-update) and supported languages and packages. ### Reachable At the Reachable level, Fluid Attacks' analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in the above table. > [!TIP] > > **Free trial**Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your [21-day free trial](https://app.fluidattacks.com/SignUp) and discover the benefits of the [Continuous Hacking](https://fluidattacks.com/services/continuous-hacking/) [Essential plan](https://fluidattacks.com/plans/). If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out [this contact form](https://fluidattacks.com/contact-us/).